CVE-2026-3219
published 2026-04-20CVE-2026-3219: pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in…
PriorityP420medium4.6CVSS 4.0
AVLACLATNPRNUIAVCNVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.14%
4.1th percentile
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Affected
116 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-24 | controller-rhel8 | — | — |
| ansible-automation-platform-25 | controller-rhel8 | — | — |
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | controller-rhel9-operator | — | — |
| ansible-automation-platform-26 | de-minimal-rhel9 | — | — |
| ansible-automation-platform-26 | de-supported-rhel9 | — | — |
| ansible-automation-platform-26 | eda-controller-rhel9-operator | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-26 | gateway-rhel9-operator | — | — |
| ansible-automation-platform-26 | hub-rhel9-operator | — | — |
| ansible-automation-platform-26 | lightspeed-rhel9-operator | — | — |
| ansible-automation-platform-26 | platform-resource-rhel9-operator | — | — |
| ansible-automation-platform-tech-preview | metrics-service-rhel9 | — | — |
| ansible-automation-platform | automation-dashboard-rhel9 | — | — |
| devspaces | udi-rhel9 | — | — |
| discovery | discovery-server-rhel9 | — | — |
| hi | python | — | — |
| lightspeed-core | lightspeed-stack-rhel9 | — | — |
| lightspeed-core | rag-tool-rhel9 | — | — |
| migration-toolkit-virtualization | mtv-rhel9-operator | — | — |
| mta | mta-rhel9-operator | — | — |
| mtv-candidate | mtv-rhel9-operator | — | — |
| openshift-lightspeed | lightspeed-service-api-rhel9 | — | — |
| openshift-service-mesh | kiali-rhel9-operator | — | — |
| openshift4 | ose-ansible-rhel9-operator | — | — |
CVSS provenance
nvdv4.04.6MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Python Packaging Authority pip up to 26.0 ZIP File
vuldb·2026-04-20·CVSS 4.6
CVE-2026-3219 [MEDIUM] Python Packaging Authority pip up to 26.0 ZIP File
A vulnerability identified as problematic has been detected in Python Packaging Authority pip up to 26.0. This affects an unknown function of the component ZIP File Handler. Performing a manipulation results in an unknown weakness.
This vulnerability is identified as CVE-2026-3219. The attack is only possible with local access. There is not any exploit available.
You should upgrade the affected component.
GHSA
GHSA-58qw-9mgm-455v: pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file
ghsa_unreviewed·2026-04-20
CVE-2026-3219 [MEDIUM] CWE-434 GHSA-58qw-9mgm-455v: pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
GHSA
pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files
ghsa·2026-04-20
CVE-2026-3219 [MEDIUM] CWE-434 pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files
pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Red Hat
pip: pip: Incorrect file installation due to improper archive handling
vendor_redhat·2026-04-20·CVSS 4.6
CVE-2026-3219 [MEDIUM] CWE-1287 pip: pip: Incorrect file installation due to improper archive handling
pip: pip: Incorrect file installation due to improper archive handling
A flaw was found in pip. This vulnerability occurs because pip incorrectly processes concatenated tar and ZIP files as ZIP files, regardless of their true format. This improper handling can lead to confusing installation behavior, potentially causing the installation of unintended or 'incorrect' files. This could allow an attacker to influence the installation process by providing a specially crafted archive.
Package: lightspeed-core/lightspeed-stack-rhel9 (Lightspeed Core) - Fix deferred
Package: lightspeed-core/rag-tool-rhel9 (Lightspeed Core) - Fix deferred
Package: mta/mta-rhel9-operator (Migration Toolkit for Applications 8) - Fix deferred
Package: migration-toolkit-virtualization/mtv-rhel9-operator (Migration
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-3219 python3.6: pip: Incorrect file installation due to improper archive handling [fedora-all]
bugzilla·2026-04-23·CVSS 4.6
CVE-2026-3219 [MEDIUM] CVE-2026-3219 python3.6: pip: Incorrect file installation due to improper archive handling [fedora-all]
CVE-2026-3219 python3.6: pip: Incorrect file installation due to improper archive handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-3219 pypy: pip: Incorrect file installation due to improper archive handling [fedora-all]
bugzilla·2026-04-23·CVSS 4.6
CVE-2026-3219 [MEDIUM] CVE-2026-3219 pypy: pip: Incorrect file installation due to improper archive handling [fedora-all]
CVE-2026-3219 pypy: pip: Incorrect file installation due to improper archive handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-3219 python3.15: pip: Incorrect file installation due to improper archive handling [fedora-all]
bugzilla·2026-04-23·CVSS 4.6
CVE-2026-3219 [MEDIUM] CVE-2026-3219 python3.15: pip: Incorrect file installation due to improper archive handling [fedora-all]
CVE-2026-3219 python3.15: pip: Incorrect file installation due to improper archive handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-3219 pip: pip: Incorrect file installation due to improper archive handling
bugzilla·2026-04-20·CVSS 4.6
CVE-2026-3219 [MEDIUM] CVE-2026-3219 pip: pip: Incorrect file installation due to improper archive handling
CVE-2026-3219 pip: pip: Incorrect file installation due to improper archive handling
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
2026-04-20
Published