CVE-2026-8643

Description

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

How to fix CVE-2026-8643

To remediate CVE-2026-8643, upgrade the affected package to a fixed version below.

Debian/python-pip—no fix listed
PyPI/pip—upgrade to 26.1.2 or later

Is CVE-2026-8643 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 26.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYmail.python.org/archives/list/security-announce@python.org/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-8643
ADVISORYwww.openwall.com/lists/oss-security/2026/06/01/5
PATCHgithub.com/pypa/pip/pull/14000