MEDIUM
Python Packaging Authority
CVE published 2026-06-01
CVE-2026-8643
pip, the Python package installer, incorrectly treats console_scripts and gui_scripts entry point names as filesystem paths rather than as file names. When resolving these to absolute paths, pip fails to sanitize the resulting path against the installation directory boundary. This path traversal flaw allows entry point executables to be written outside the intended installation directory during package in [truncated]