CVE-2026-3219 - Medium Severity Vulnerability
Vulnerable Library - pip-26.0.1-py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/de/f0/c81e05b613866b76d2d1066490adf1a3dbc4ee9d9c839961c3fc8a6997af/pip-26.0.1-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/spotfire-python
Path to vulnerable library: /tmp/ws-ua_20260420082819_IRDBDB/python_PQTBCT/202604200828191/env/lib/python3.9/site-packages/pip-26.0.1.dist-info
Dependency Hierarchy:
- ❌ pip-26.0.1-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Publish Date: 2026-04-20
URL: CVE-2026-3219
CVSS 4 Score Details (4.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.
CVE-2026-3219 - Medium Severity Vulnerability
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/de/f0/c81e05b613866b76d2d1066490adf1a3dbc4ee9d9c839961c3fc8a6997af/pip-26.0.1-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/spotfire-python
Path to vulnerable library: /tmp/ws-ua_20260420082819_IRDBDB/python_PQTBCT/202604200828191/env/lib/python3.9/site-packages/pip-26.0.1.dist-info
Dependency Hierarchy:
Found in base branch: main
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Publish Date: 2026-04-20
URL: CVE-2026-3219
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.