CVE-2026-8643: pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory…

medium4.1CVSS 4.0

AVLACLATPPRLUIAVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

Affected

134 ranges· showing 25

Vendor	Product	Version range	Fixed in
ansible-automation-platform-24	controller-rhel8	—	—
ansible-automation-platform-25	controller-rhel8	—	—
ansible-automation-platform-26	controller-rhel9	—	—
ansible-automation-platform-26	controller-rhel9-operator	—	—
ansible-automation-platform-26	de-minimal-rhel9	—	—
ansible-automation-platform-26	de-supported-rhel9	—	—
ansible-automation-platform-26	eda-controller-rhel9-operator	—	—
ansible-automation-platform-26	gateway-rhel9	—	—
ansible-automation-platform-26	gateway-rhel9-operator	—	—
ansible-automation-platform-26	hub-rhel9-operator	—	—
ansible-automation-platform-26	lightspeed-rhel9-operator	—	—
ansible-automation-platform-26	platform-resource-rhel9-operator	—	—
ansible-automation-platform-27	aap-cloud-billing-operator-rhel9	—	—
ansible-automation-platform-tech-preview	metrics-service-rhel9	—	—
ansible-automation-platform-tech-preview	metrics-service-rhel9-operator	—	—
ansible-automation-platform	automation-dashboard-rhel9	—	—
devspaces	udi-rhel9	—	—
discovery	discovery-server-rhel9	—	—
exploit-intelligence-tech-preview	vulnerability-analysis-rhel9	—	—
migration-toolkit-virtualization	mtv-rhel9-operator	—	—
mta	mta-rhel9-operator	—	—
mtv-candidate	mtv-rhel9-operator	—	—
openshift-lightspeed-tech-preview	lightspeed-rag-tool-rhel9	—	—
openshift-lightspeed	lightspeed-service-api-rhel9	—	—
openshift-service-mesh	kiali-rhel9-operator	—	—