CVE-2026-3219

NameCVE-2026-3219
Descriptionpip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1134492

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-pip (PTS)bullseye20.3.4-4+deb11u1vulnerable
bullseye (security)20.3.4-4+deb11u2vulnerable
bookworm23.0.1+dfsg-1vulnerable
trixie25.1.1+dfsg-1vulnerable
forky, sid26.0.1+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-pipsource(unstable)(unfixed)1134492

Notes

https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/
https://github.com/pypa/pip/pull/13870
Search for package or bug name: Reporting problems