CVE-2026-8643 - Medium Severity Vulnerability
Vulnerable Libraries - pip-19.1.1-py2.py3-none-any.whl, pip-19.3.1-py2.py3-none-any.whl, pip-9.0.1-py2.py3-none-any.whl
pip-19.1.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl,/awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
Dependency Hierarchy:
- ❌ pip-19.1.1-py2.py3-none-any.whl (Vulnerable Library)
pip-19.3.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl,/awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
Dependency Hierarchy:
- ❌ pip-19.3.1-py2.py3-none-any.whl (Vulnerable Library)
pip-9.0.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/b6/ac/7015eb97dc749283ffdec1c3a88ddb8ae03b8fad0f0e611408f196358da3/pip-9.0.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl,/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl
Dependency Hierarchy:
- ❌ pip-9.0.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
Vulnerability Details
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Publish Date: 2026-06-01
URL: CVE-2026-8643
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-01
Fix Resolution: 26.1.2
Step up your Open Source Security Game with Mend here
CVE-2026-8643 - Medium Severity Vulnerability
pip-19.1.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl,/awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
Dependency Hierarchy:
pip-19.3.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl,/awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
Dependency Hierarchy:
pip-9.0.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/b6/ac/7015eb97dc749283ffdec1c3a88ddb8ae03b8fad0f0e611408f196358da3/pip-9.0.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl,/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Publish Date: 2026-06-01
URL: CVE-2026-8643
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-01
Fix Resolution: 26.1.2
Step up your Open Source Security Game with Mend here