UBUNTU-CVE-2026-3219
- Source
- https://ubuntu.com/security/CVE-2026-3219
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-3219.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-3219
- Upstream
- Published
- 2026-04-20T16:16:00Z
- Modified
- 2026-06-03T09:15:12.578560806Z
- Severity
-
- 4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
- References
Affected packages
Ubuntu:25.10
python-pip
Package
- Name
- python-pip
- Purl
- pkg:deb/ubuntu/python-pip?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:Pro:14.04:LTS
python-pip
Package
- Name
- python-pip
- Purl
- pkg:deb/ubuntu/python-pip?arch=source&distro=esm-infra-legacy%2Ftrusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1.*
1.4.1-2
1.5.4-1
1.5.4-1ubuntu1
1.5.4-1ubuntu3
1.5.4-1ubuntu4
1.5.4-1ubuntu4+esm1
1.5.4-1ubuntu4+esm2
1.5.4-1ubuntu4+esm3
1.5.4-1ubuntu4+esm4
1.5.4-1ubuntu4+esm5
Ubuntu:Pro:16.04:LTS
python-pip
Package
- Name
- python-pip
- Purl
- pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fxenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1.*
1.5.6-7ubuntu1
1.5.6-7ubuntu2
8.*
8.0.2-7
8.0.3-1
8.0.3-2
8.1.0-1
8.1.0-2
8.1.1-1
8.1.1-2
8.1.1-2ubuntu0.1
8.1.1-2ubuntu0.2
8.1.1-2ubuntu0.4
8.1.1-2ubuntu0.6
8.1.1-2ubuntu0.6+esm2
8.1.1-2ubuntu0.6+esm3
8.1.1-2ubuntu0.6+esm4
8.1.1-2ubuntu0.6+esm5
8.1.1-2ubuntu0.6+esm6
8.1.1-2ubuntu0.6+esm8
8.1.1-2ubuntu0.6+esm10
8.1.1-2ubuntu0.6+esm11
8.1.1-2ubuntu0.6+esm12
Ubuntu:Pro:18.04:LTS
python-pip
Package
- Name
- python-pip
- Purl
- pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fbionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
9.*
9.0.1-2
9.0.1-2.3~ubuntu1
9.0.1-2.3~ubuntu1.18.04.1
9.0.1-2.3~ubuntu1.18.04.2
9.0.1-2.3~ubuntu1.18.04.3
9.0.1-2.3~ubuntu1.18.04.4
9.0.1-2.3~ubuntu1.18.04.5
9.0.1-2.3~ubuntu1.18.04.5+esm2
9.0.1-2.3~ubuntu1.18.04.5+esm3
9.0.1-2.3~ubuntu1.18.04.6
9.0.1-2.3~ubuntu1.18.04.6+esm1
9.0.1-2.3~ubuntu1.18.04.7
9.0.1-2.3~ubuntu1.18.04.7+esm1
9.0.1-2.3~ubuntu1.18.04.8
9.0.1-2.3~ubuntu1.18.04.8+esm1
9.0.1-2.3~ubuntu1.18.04.8+esm2
9.0.1-2.3~ubuntu1.18.04.8+esm4
9.0.1-2.3~ubuntu1.18.04.8+esm6
9.0.1-2.3~ubuntu1.18.04.8+esm7
9.0.1-2.3~ubuntu1.18.04.8+esm8
Ubuntu:Pro:20.04:LTS
python-pip
Package
- Name
- python-pip
- Purl
- pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Ffocal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
18.*
18.1-5
18.1-5build1
18.1-5ubuntu1
20.*
20.0.2-2
20.0.2-4
20.0.2-5
20.0.2-5ubuntu1
20.0.2-5ubuntu1.1
20.0.2-5ubuntu1.3
20.0.2-5ubuntu1.4
20.0.2-5ubuntu1.5
20.0.2-5ubuntu1.6
20.0.2-5ubuntu1.7
20.0.2-5ubuntu1.8
20.0.2-5ubuntu1.9
20.0.2-5ubuntu1.10
20.0.2-5ubuntu1.10+esm2
20.0.2-5ubuntu1.11
20.0.2-5ubuntu1.11+esm2
20.0.2-5ubuntu1.11+esm3
20.0.2-5ubuntu1.11+esm4
Ubuntu:Pro:22.04:LTS
python-pip
Package
- Name
- python-pip
- Purl
- pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fjammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
20.*
20.3.4-4
21.*
21.3.1+dfsg-3
22.*
22.0.2+dfsg-1
22.0.2+dfsg-1ubuntu0.1
22.0.2+dfsg-1ubuntu0.2
22.0.2+dfsg-1ubuntu0.3
22.0.2+dfsg-1ubuntu0.4
22.0.2+dfsg-1ubuntu0.5
22.0.2+dfsg-1ubuntu0.6
22.0.2+dfsg-1ubuntu0.7
22.0.2+dfsg-1ubuntu0.7+esm1
22.0.2+dfsg-1ubuntu0.7+esm2
22.0.2+dfsg-1ubuntu0.7+esm3
Ubuntu:Pro:24.04:LTS
python-pip
Package
- Name
- python-pip
- Purl
- pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fnoble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
23.*
23.2+dfsg-1
23.3+dfsg-1
24.*
24.0+dfsg-1
24.0+dfsg-1ubuntu1
24.0+dfsg-1ubuntu1.1
24.0+dfsg-1ubuntu1.2
24.0+dfsg-1ubuntu1.3
24.0+dfsg-1ubuntu1.3+esm1
24.0+dfsg-1ubuntu1.3+esm2
24.0+dfsg-1ubuntu1.3+esm3
Ubuntu:Pro:26.04:LTS
python-pip
Package
- Name
- python-pip
- Purl
- pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fresolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
25.*
25.1.1+dfsg-1ubuntu2
25.1.1+dfsg-1ubuntu2+esm1
25.1.1+dfsg-1ubuntu2+esm2
25.1.1+dfsg-1ubuntu2+esm3