VDB

CVE-2026-3219

CVE-2026-3219 PUBLISHED CVSS 4.599999904632568 MEDIUM

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

EPSS 0.02% · 5.3th percentile

Risk Scores

CVSS v4.0
4.599999904632568
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.02%
5.3th percentile

Affected Products

VendorProductVersions
Python Packaging Authoritypip0

Timeline

  • Apr 20, 2026 CVE Published
  • Apr 20, 2026 PoC Published
  • Apr 20, 2026 PoC Published
  • Apr 21, 2026 Security Advisory
  • Apr 27, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score

References

…and 3 more

Open in Interactive Console →
$ Console Community · 100/wk Open console ›