Vulnerability-Lookup

SUSE-SU-2026:22018-1

Vulnerability from csaf_suse - Published: 2026-06-02 13:37 - Updated: 2026-06-02 13:37

Summary

Security update for python-pip

Severity

Moderate

Notes

Title of the patch: Security update for python-pip

Description of the patch: This update for python-pip fixes the following issues: - CVE-2026-3219: concatenated tar and ZIP files are handled as ZIP files, resulting in possibly obfuscated malicious code (bsc#1262429). - CVE-2026-6357: pip self-update functionality can import newly installed modules after wheel installation, resulting in potential arbitrary code execution (bsc#1263442).

Patchnames: SUSE-SLES-16.0-872

CVE-2026-1703

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch	—	Vendor Fix

Threats

Impact low

CVE-2026-3219

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch	—	Vendor Fix

Threats

Impact moderate

CVE-2026-6357

5.8 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch	—	Vendor Fix

Threats

Impact moderate

References

15 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-updates/2026…	self
https://bugzilla.suse.com/1262429	self
https://bugzilla.suse.com/1263442	self
https://www.suse.com/security/cve/CVE-2026-1703/	self
https://www.suse.com/security/cve/CVE-2026-3219/	self
https://www.suse.com/security/cve/CVE-2026-6357/	self
https://www.suse.com/security/cve/CVE-2026-1703	external
https://bugzilla.suse.com/1257599	external
https://www.suse.com/security/cve/CVE-2026-3219	external
https://bugzilla.suse.com/1262429	external
https://www.suse.com/security/cve/CVE-2026-6357	external
https://bugzilla.suse.com/1263442	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-pip",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-pip fixes the following issues:\n\n- CVE-2026-3219: concatenated tar and ZIP files are handled as ZIP files, resulting in possibly obfuscated malicious\n  code (bsc#1262429).\n- CVE-2026-6357: pip self-update functionality can import newly installed modules after wheel installation, resulting\n  in potential arbitrary code execution (bsc#1263442).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLES-16.0-872",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22018-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:22018-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622018-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:22018-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047158.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1262429",
        "url": "https://bugzilla.suse.com/1262429"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1263442",
        "url": "https://bugzilla.suse.com/1263442"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-1703 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-1703/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-3219 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-3219/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-6357 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-6357/"
      }
    ],
    "title": "Security update for python-pip",
    "tracking": {
      "current_release_date": "2026-06-02T13:37:13Z",
      "generator": {
        "date": "2026-06-02T13:37:13Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:22018-1",
      "initial_release_date": "2026-06-02T13:37:13Z",
      "revision_history": [
        {
          "date": "2026-06-02T13:37:13Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-pip-25.0.1-160000.4.1.noarch",
                "product": {
                  "name": "python313-pip-25.0.1-160000.4.1.noarch",
                  "product_id": "python313-pip-25.0.1-160000.4.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python313-pip-wheel-25.0.1-160000.4.1.noarch",
                "product": {
                  "name": "python313-pip-wheel-25.0.1-160000.4.1.noarch",
                  "product_id": "python313-pip-wheel-25.0.1-160000.4.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server 16.0",
                  "product_id": "SUSE Linux Enterprise Server 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-pip-25.0.1-160000.4.1.noarch as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch"
        },
        "product_reference": "python313-pip-25.0.1-160000.4.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-pip-wheel-25.0.1-160000.4.1.noarch as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
        },
        "product_reference": "python313-pip-wheel-25.0.1-160000.4.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-pip-25.0.1-160000.4.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch"
        },
        "product_reference": "python313-pip-25.0.1-160000.4.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-pip-wheel-25.0.1-160000.4.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
        },
        "product_reference": "python313-pip-wheel-25.0.1-160000.4.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-1703",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-1703"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
          "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-1703",
          "url": "https://www.suse.com/security/cve/CVE-2026-1703"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257599 for CVE-2026-1703",
          "url": "https://bugzilla.suse.com/1257599"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-02T13:37:13Z",
          "details": "low"
        }
      ],
      "title": "CVE-2026-1703"
    },
    {
      "cve": "CVE-2026-3219",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-3219"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing \"incorrect\" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
          "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-3219",
          "url": "https://www.suse.com/security/cve/CVE-2026-3219"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262429 for CVE-2026-3219",
          "url": "https://bugzilla.suse.com/1262429"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-02T13:37:13Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-3219"
    },
    {
      "cve": "CVE-2026-6357",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-6357"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
          "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-6357",
          "url": "https://www.suse.com/security/cve/CVE-2026-6357"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263442 for CVE-2026-6357",
          "url": "https://bugzilla.suse.com/1263442"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.4.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-02T13:37:13Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-6357"
    }
  ]
}

CVE-2026-1703 (GCVE-0-2026-1703)

Vulnerability from cvelistv5 – Published: 2026-02-02 14:43 – Updated: 2026-02-02 17:21

Title

Limited path traversal when installing wheel archives

Summary

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Severity

2 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

PSF

References

3 references

URL	Tags
https://github.com/pypa/pip/pull/13777	patch
https://github.com/pypa/pip/commit/8e227a9be4faa9…	patch
https://mail.python.org/archives/list/security-an…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Python Packaging Authority	pip	Affected: 0 , < 26.0 (python)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1703",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-02T17:21:09.808485Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-02T17:21:25.369Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org",
          "defaultStatus": "unaffected",
          "packageName": "pip",
          "product": "pip",
          "repo": "https://github.com/pypa/pip",
          "vendor": "Python Packaging Authority",
          "versions": [
            {
              "lessThan": "26.0",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations."
            }
          ],
          "value": "When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn\u0027t able to inject or overwrite executable files in typical situations."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2,
            "baseSeverity": "LOW",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T14:45:44.871Z",
        "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "shortName": "PSF"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/pypa/pip/pull/13777"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Limited path traversal when installing wheel archives",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
    "assignerShortName": "PSF",
    "cveId": "CVE-2026-1703",
    "datePublished": "2026-02-02T14:43:02.919Z",
    "dateReserved": "2026-01-30T15:17:22.133Z",
    "dateUpdated": "2026-02-02T17:21:25.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3219 (GCVE-0-2026-3219)

Vulnerability from cvelistv5 – Published: 2026-04-20 14:55 – Updated: 2026-04-20 20:15

Title

pip doesn't reject concatenated ZIP and tar archives

Summary

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Severity

4.6 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-434 - Unrestricted Upload of File with Dangerous Type

Assigner

PSF

References

3 references

URL	Tags
https://github.com/pypa/pip/pull/13870	patch
https://mail.python.org/archives/list/security-an…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/04/20/8

Impacted products

1 product

Vendor	Product	Version
Python Packaging Authority	pip	Affected: 0 , < 26.1 (python)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3219",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-20T16:03:20.592162Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-434",
                "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-20T16:15:12.102Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-20T20:15:23.710Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/20/8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/pip",
          "defaultStatus": "unaffected",
          "packageName": "pip",
          "product": "pip",
          "repo": "https://github.com/pypa/pip",
          "vendor": "Python Packaging Authority",
          "versions": [
            {
              "lessThan": "26.1",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing \"incorrect\" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both."
            }
          ],
          "value": "pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing \"incorrect\" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-20T15:02:54.673Z",
        "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "shortName": "PSF"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/pypa/pip/pull/13870"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "pip doesn\u0027t reject concatenated ZIP and tar archives",
      "x_generator": {
        "engine": "Vulnogram 0.6.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
    "assignerShortName": "PSF",
    "cveId": "CVE-2026-3219",
    "datePublished": "2026-04-20T14:55:38.282Z",
    "dateReserved": "2026-02-25T17:50:26.456Z",
    "dateUpdated": "2026-04-20T20:15:23.710Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6357 (GCVE-0-2026-6357)

Vulnerability from cvelistv5 – Published: 2026-04-27 14:19 – Updated: 2026-04-27 22:17

Title

pip self-update functionality can import newly installed modules after wheel installation

Summary

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Severity

5.3 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

Assigner

PSF

References

3 references

URL	Tags
https://github.com/pypa/pip/pull/13923	patch
https://ichard26.github.io/blog/2026/04/whats-new…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/04/27/7

Impacted products

1 product

Vendor	Product	Version
Pip maintainers	pip	Affected: 0 , < 26.1 (python)

Credits

Damian Shaw Damian Shaw Richard Si Seth Larson

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6357",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-27T16:08:15.074450Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-829",
                "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-27T16:08:47.582Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-27T22:17:49.582Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/27/7"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/pip",
          "defaultStatus": "unaffected",
          "packageName": "pip",
          "product": "pip",
          "repo": "https://github.com/pypa/pip",
          "vendor": "Pip maintainers",
          "versions": [
            {
              "lessThan": "26.1",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Damian Shaw"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Damian Shaw"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Richard Si"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Seth Larson"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation."
            }
          ],
          "value": "pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T14:19:47.657Z",
        "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "shortName": "PSF"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/pypa/pip/pull/13923"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/#security-fixes"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "pip self-update functionality can import newly installed modules after wheel installation",
      "x_generator": {
        "engine": "Vulnogram 0.6.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
    "assignerShortName": "PSF",
    "cveId": "CVE-2026-6357",
    "datePublished": "2026-04-27T14:19:47.657Z",
    "dateReserved": "2026-04-15T13:55:02.734Z",
    "dateUpdated": "2026-04-27T22:17:49.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:22018-1

CVE-2026-1703 (GCVE-0-2026-1703)

CVE-2026-3219 (GCVE-0-2026-3219)

CVE-2026-6357 (GCVE-0-2026-6357)

Tags

Sightings

Nomenclature