CVE-2026-3219

Published: Apr 20, 2026

Modified: Apr 20, 2026

PUBLISHED

Description

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Vendor	Product	Versions
Python Packaging Authority	pip	affected `0 - < 26.1`

References

https://github.com/pypa/pip/pull/13870

patch

https://mail.python.org/archives/list/[email protected]/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-3219

Description

Affected Products

References