pip: Path traversal in console_scripts/gui_scripts entry point names allows installing scripts outside of target directory
Moderate severity
GitHub Reviewed
Published
Jun 1, 2026
to the GitHub Advisory Database
•
Updated Jul 10, 2026
Description
Published by the National Vulnerability Database
Jun 1, 2026
Published to the GitHub Advisory Database
Jun 1, 2026
Reviewed
Jul 8, 2026
Last updated
Jul 10, 2026
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
References