CVE-2026-3219
Public on 2026-04-20
Modified on 2026-04-22
Description
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | python-pip | Pending Fix | ||
| Amazon Linux 2023 | python-pip | Pending Fix | ||
| Amazon Linux 2 - Python3 Extra | python3-pip | No Fix Planned | ||
| Amazon Linux 2023 | python3.11-pip | Pending Fix | ||
| Amazon Linux 2023 | python3.12-pip | Pending Fix | ||
| Amazon Linux 2023 | python3.13-pip | Pending Fix | ||
| Amazon Linux 2023 | python3.14-pip | Pending Fix | ||
| Amazon Linux 2 - Python3.8 Extra | python38-pip | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.3 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |