pip: Misidentified tar·ZIP archives can install wrong files
CVE-2026-3219 Published on April 20, 2026

pip doesn't reject concatenated ZIP and tar archives
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Vendor Advisory NVD

Weakness Type

What is an Unrestricted File Upload Vulnerability?

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

CVE-2026-3219 has been classified to as an Unrestricted File Upload vulnerability or weakness.

Products Associated with CVE-2026-3219

Want to know whenever a new CVE is published for Python Pip? stack.watch will email you.

Python Pip

Affected Versions

Python Packaging Authority pip:

Before 26.1 is affected.

pip: Misidentified tar·ZIP archives can install wrong filesCVE-2026-3219 Published on April 20, 2026

Weakness Type

What is an Unrestricted File Upload Vulnerability?

Products Associated with CVE-2026-3219

Affected Versions

pip: Misidentified tar·ZIP archives can install wrong files
CVE-2026-3219 Published on April 20, 2026