CVE-2026-8643
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk24th percentile - higher than 24% of all known CVEs
Summary
The vulnerability in pip treats console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, allowing entry points to be installed outside the installation directory.
Risk Assessment
The risk involves the potential placement of malicious executable files in unauthorized system locations, which could lead to privilege escalation or execution of dangerous code.
Recommendation
It is recommended to immediately update pip to the latest patched version and verify that no unauthorized entry points have been installed outside standard directories.
Original NVD description (English source)
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

