CVE-2026-3219

Published: April 23, 2026Last modified: May 13, 2026

Description

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	py3-pip	Unknown (22.3.1-r2)
	25 LTS	py3-pip	Unknown (25.1.1-r0)
	Stream	py3-pip	Fixed (26.1-r0)
Hardened Containers	23 LTS	py3-pip	Unknown (22.3.1-r2)
	25 LTS	py3-pip	Unknown (25.1.1-r0)
	Stream	py3-pip	Fixed (26.1-r0)

References

How to Fix Liberica NIK Not Starting on macOS Catalina and Later

If you use macOS Catalina and later you may encounter the issue that prevents Liberica NIK from starting. To fix it, run the following:

sudo xattr -r -d com.apple.quarantine path/to/graalvm/folder/

If you need more help, check out the FAQ at the bottom of this page or contact us.