CVE-2026-59890

NameCVE-2026-59890
Descriptionsetuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
setuptools (PTS)bullseye52.0.0-4fixed
bullseye (security)52.0.0-4+deb11u2fixed
bookworm66.1.1-1+deb12u2fixed
forky, sid, trixie78.1.1-0.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
setuptoolssource(unstable)(not affected)

Notes

- setuptools <not-affected> (Only affects setuptools on macOS APFS/HFS+)
https://github.com/pypa/setuptools/security/advisories/GHSA-h35f-9h28-mq5c

Search for package or bug name: Reporting problems