PatchSiren cyber security CVE debrief
CVE-2026-59890 pypa CVE debrief
The CVE record was published on 2026-07-08T17:17:27.020Z and has not been modified since then. The NVD entry is currently Awaiting Analysis. This MEDIUM severity vulnerability affects setuptools, a package for downloading, building, installing, upgrading, and uninstalling Python packages. The vulnerability allows an NFD file name to bypass an NFC exclusion rule and be packed into a source distribution on macOS APFS or HFS+. The issue is fixed in version 83.0.0.
- Vendor
- pypa
- Product
- setuptools
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of setuptools, a package for downloading, building, installing, upgrading, and uninstalling Python packages, should be aware of this MEDIUM severity vulnerability. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and assess their exposure.
Technical summary
Prior to version 83.0.0, setuptools' FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization. On macOS APFS or HFS+, an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0. Users should review and update MANIFEST.in files to ensure proper exclusion rules.
Defensive priority
Apply patch or upgrade to version 83.0.0 or later.
Recommended defensive actions
- Apply patch or upgrade to version 83.0.0 or later.
- Review and update MANIFEST.in files to ensure proper exclusion rules.
- Monitor for suspicious activity related to setuptools.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record and NVD entry provide limited information about the vulnerability. Further investigation is needed to fully understand the impact and affected scope. Evidence is limited to CVE and NVD data. Defenders should verify system configurations, review MANIFEST.in files, and monitor for suspicious activity related to setuptools. The issue is fixed in version 83.0.0, but additional verification of affected systems is required.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T17:17:27.020Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.