OESA-2026-2360 python-pip security update

%changelog Thu Apr 9 2026 yixiangzhike [email protected] - 23.3.1-10 - Fix CVE-2026-25645 Security Fixes: pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavio...

EUVD-2026-23866

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds wit...

PT-2026-33775

Name of the Vulnerable Software and Affected Versions pip affected versions not specified Description pip processes concatenated tar and ZIP files exclusively as ZIP files, ignoring the filename or the fact that the file contains both archive types. This behavior can lead to the installation of...

Malicious code in torchunmix (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 bee332cb141dec3033a9c1590cfb3df81e7dfa66dd4a4ce0072ccc92f9301891 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in p7zip-full (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 af6725a21a64c36ce8e101fd062bb45cb87fdb8cb62df47538390c6c1fc4323c Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2026-593 Malicious code in pypi-package-explore (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 54257ec88b5f7a5bd69177f84a4c396ab208e727ba1c7b079056f1fab2705c37 Package presents an extremely deep obfuscation of a code that is imported during installation. The exact behavior is unknown, but it includes loading encrypted...

Malicious code in python3-6 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d48e27507362baa15b8e41d1554bce82077fcc870112ab6cb4d17694b47c8ef3 During installation, the obfuscated code is run and connect with a remote server. In the current version, the code just opens a URL without exfiltrating any...

Malicious code in rtxt-dep2 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3a0cd03149005afa6cc505bea16d80c21f5bbbd226c16c659ed6abb41cf730a2 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

DEBIAN-CVE-2021-43616

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have bee...

CVE-2018-20225

A flaw was found in python-pip. The software installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exi...

Receiver 4 Upgrade Causing UAC Prompt

This article is intended for Citrix administrators and technical teams only.Non-admin users must contact their company’s Help Desk/IT support team and can refer toCTX297149for more information We are offering Receiver from our SCCM 2012 Self-Service Application Catalog. We followed...