CVE Catalog

CVE-2026-8643

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile - higher than 24% of all known CVEs

Summary

The vulnerability in pip treats console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, allowing entry points to be installed outside the installation directory.

Risk Assessment

The risk involves the potential placement of malicious executable files in unauthorized system locations, which could lead to privilege escalation or execution of dangerous code.

Recommendation

It is recommended to immediately update pip to the latest patched version and verify that no unauthorized entry points have been installed outside standard directories.

Original NVD description (English source)

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS