CVE-2026-8643
Public on 2026-05-28
Modified on 2026-05-28
Description
A flaw was found in pip, the package installer for Python. A remote attacker can exploit this vulnerability by tricking a victim into installing a malicious Python wheel. This wheel contains specially crafted entry-point names that use directory traversal or absolute paths. This allows pip to write generated script wrappers outside the intended installation directory, leading to arbitrary file overwrite. This can severely impact system integrity and availability, and in certain scenarios, may lead to arbitrary code execution.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | python-pip | 2026-06-22 | ALAS2-2026-3358 | Fixed |
| Amazon Linux 2023 | python-pip | 2026-06-22 | ALAS2023-2026-1837 | Fixed |
| Amazon Linux 2023 | python3.11-pip | 2026-06-22 | ALAS2023-2026-1839 | Fixed |
| Amazon Linux 2023 | python3.12-pip | 2026-06-22 | ALAS2023-2026-1840 | Fixed |
| Amazon Linux 2023 | python3.13-pip | 2026-06-22 | ALAS2023-2026-1841 | Fixed |
| Amazon Linux 2023 | python3.14-pip | 2026-06-22 | ALAS2023-2026-1838 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| NVD | CVSSv3 | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |