Fluid Attacks Database

Description

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python-pip	=20.3.4-4 \|\| =20.3.4-4+deb11u1 \|\| =20.3.4-4+deb11u2 \|\| =21.3.1+dfsg-1 \|\| =21.3.1+dfsg-2 \|\| =21.3.1+dfsg-3 \|\| =22.0.2+dfsg-1 \|\| =22.1+dfsg-1 \|\| =22.1.1+dfsg-1 \|\| =22.2+dfsg-1 \|\| =22.3+dfsg-1 \|\| =22.3.1+dfsg-1 \|\| =22.3.1+dfsg-2 \|\| =23.0+dfsg-1 \|\| =23.0+dfsg-2 \|\| =23.0.1+dfsg-1 \|\| =23.1.2+dfsg-1 \|\| =23.1.2+dfsg-2 \|\| =23.2+dfsg-1 \|\| =23.2.1+dfsg-1 \|\| =23.3+dfsg-1 \|\| =24.0+dfsg-1 \|\| =24.0+dfsg-2 \|\| =24.1+dfsg-1 \|\| =24.1.1+dfsg-1 \|\| =24.2+dfsg-1 \|\| =24.3.1+dfsg-1 \|\| =25.0+dfsg-1 \|\| =25.0.1+dfsg-1 \|\| =25.1+dfsg-1 \|\| =25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1 \|\| =26.1.1+dfsg-1	-
debian 12	python-pip	=23.0.1+dfsg-1 \|\| =23.1.2+dfsg-1 \|\| =23.1.2+dfsg-2 \|\| =23.2+dfsg-1 \|\| =23.2.1+dfsg-1 \|\| =23.3+dfsg-1 \|\| =24.0+dfsg-1 \|\| =24.0+dfsg-2 \|\| =24.1+dfsg-1 \|\| =24.1.1+dfsg-1 \|\| =24.2+dfsg-1 \|\| =24.3.1+dfsg-1 \|\| =25.0+dfsg-1 \|\| =25.0.1+dfsg-1 \|\| =25.1+dfsg-1 \|\| =25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1 \|\| =26.1.1+dfsg-1	-
debian 13	python-pip	=25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1 \|\| =26.1.1+dfsg-1	-
debian 14	python-pip	=25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1 \|\| >=0 <26.1.1+dfsg-1	26.1.1+dfsg-1
rpm rhel9	python-39	-	-
rpm rhel8	python-36	-	-
rpm rhel9	python-311	-	-
rpm rhel8	python-312	-	-
pypi	pip	>=0 <26.1	26.1
rpm rhel8	python-311	-	-

1-10 of 14

Aliases

1. CVE-2026-32192. NVD-2026-32193. OSV-DEBIAN-2026-32194. OSV-2026-32195. GCVE-2026-32196. SECURITY-TRACKER-CVE-2026-3219

References

1. https://github.com/pypa/pip/issues/138672. https://github.com/pypa/pip/pull/138703. https://mail.python.org/archives/list/[email protected]/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ4. http://www.openwall.com/lists/oss-security/2026/04/20/8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.