CVE-2026-59890

Source
https://cve.org/CVERecord?id=CVE-2026-59890
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59890.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59890
Aliases
  • GHSA-h35f-9h28-mq5c
Downstream
Published
2026-07-08T16:02:07.519Z
Modified
2026-07-12T03:55:01.417208276Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
Summary
setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+
Details

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-176",
        "CWE-697"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59890.json"
}
References

Affected packages

Git / github.com/pypa/setuptools

Affected ranges

Type
GIT
Repo
https://github.com/pypa/setuptools
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "83.0.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v59.*
v59.8.0
v60.*
v60.0.0
v60.0.1
v60.0.2
v60.0.3
v60.0.4
v60.0.5
v60.1.0
v60.1.1
v60.10.0
v60.2.0
v60.3.0
v60.3.1
v60.4.0
v60.5.0
v60.5.1
v60.5.2
v60.5.3
v60.5.4
v60.6.0
v60.7.0
v60.7.1
v60.8.0
v60.8.1
v60.8.2
v60.9.0
v60.9.1
v60.9.2
v60.9.3
v61.*
v61.0.0
v61.1.0
v61.1.1
v61.2.0
v61.3.0
v61.3.1
v62.*
v62.0.0
v62.1.0
v62.2.0
v62.3.0
v62.3.1
v62.3.2
v62.3.3
v62.3.4
v62.4.0
v62.5.0
v62.6.0
v63.*
v63.0.0
v63.1.0
v63.2.0
v63.3.0
v63.4.0
v63.4.1
v63.4.2
v63.4.3
v64.*
v64.0.0
v64.0.1
v64.0.2
v64.0.3
v65.*
v65.0.0
v65.0.1
v65.0.2
v65.1.0
v65.1.1
v65.2.0
v65.3.0
v65.4.0
v65.4.1
v65.5.0
v65.5.1
v65.6.0
v65.6.1
v65.6.2
v65.6.3
v65.7.0
v66.*
v66.0.0
v66.1.0
v66.1.1
v67.*
v67.0.0
v67.1.0
v67.2.0
v67.3.0
v67.3.1
v67.3.2
v67.3.3
v67.4.0
v67.5.0
v67.5.1
v67.6.0
v67.6.1
v67.7.0
v67.7.1
v67.7.2
v67.8.0
v68.*
v68.0.0
v68.1.0
v68.1.1
v68.1.2
v68.2.0
v68.2.0b1
v68.2.1
v68.2.2
v69.*
v69.0.0
v69.0.1
v69.0.2
v69.1.0
v69.1.1
v69.2.0
v69.3.0
v69.4.0
v69.5.0
v69.5.1
v70.*
v70.0.0
v70.1.0
v70.1.1
v70.2.0
v70.3.0
v71.*
v71.0.0
v71.0.1
v71.0.2
v71.0.3
v71.0.4
v71.1.0
v72.*
v72.0.0
v72.1.0
v72.2.0
v73.*
v73.0.0
v73.0.1
v74.*
v74.0.0
v74.1.0
v74.1.1
v74.1.2
v75.*
v75.0.0
v75.1.0
v75.1.1
v75.2.0
v75.3.0
v75.3.2
v75.3.4
v75.4.0
v75.5.0
v75.6.0
v75.7.0
v75.8.0
v75.8.1
v75.8.2
v75.9.0
v75.9.1
v76.*
v76.0.0
v76.1.0
v77.*
v77.0.0
v77.0.1
v77.0.2
v77.0.3
v78.*
v78.0.0
v78.0.1
v78.0.2
v78.1.0
v78.1.1
v79.*
v79.0.0
v79.0.1
v80.*
v80.0.0
v80.0.1
v80.1.0
v80.10.0
v80.10.1
v80.10.2
v80.2.0
v80.3.0
v80.3.1
v80.4.0
v80.5.0
v80.6.0
v80.7.0
v80.7.1
v80.8.0
v80.9.0
v81.*
v81.0.0
v82.*
v82.0.0
v82.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59890.json"