cbcvebase.
CVE-2026-3219
published 2026-04-20

CVE-2026-3219: pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in…

PriorityP420medium4.6CVSS 4.0
AVLACLATNPRNUIAVCNVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.14%
4.1th percentile
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Affected

116 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-24controller-rhel8
ansible-automation-platform-25controller-rhel8
ansible-automation-platform-26controller-rhel9
ansible-automation-platform-26controller-rhel9-operator
ansible-automation-platform-26de-minimal-rhel9
ansible-automation-platform-26de-supported-rhel9
ansible-automation-platform-26eda-controller-rhel9-operator
ansible-automation-platform-26gateway-rhel9
ansible-automation-platform-26gateway-rhel9-operator
ansible-automation-platform-26hub-rhel9-operator
ansible-automation-platform-26lightspeed-rhel9-operator
ansible-automation-platform-26platform-resource-rhel9-operator
ansible-automation-platform-tech-previewmetrics-service-rhel9
ansible-automation-platformautomation-dashboard-rhel9
devspacesudi-rhel9
discoverydiscovery-server-rhel9
hipython
lightspeed-corelightspeed-stack-rhel9
lightspeed-corerag-tool-rhel9
migration-toolkit-virtualizationmtv-rhel9-operator
mtamta-rhel9-operator
mtv-candidatemtv-rhel9-operator
openshift-lightspeedlightspeed-service-api-rhel9
openshift-service-meshkiali-rhel9-operator
openshift4ose-ansible-rhel9-operator

CVSS provenance

nvdv4.04.6MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat4.6MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.