Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
CVE-2026-59890 (GCVE-0-2026-59890)
Vulnerability from cvelistv5 – Published: 2026-07-08 16:02 – Updated: 2026-07-08 16:44
VLAI
EPSS
VEX
Title
setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+
Summary
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/pypa/setuptools/security/advis… | x_refsource_CONFIRM |
| https://github.com/pypa/setuptools/commit/dd9f436… | x_refsource_MISC |
| https://github.com/pypa/setuptools/releases/tag/v83.0.0 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pypa | setuptools |
Affected:
< 83.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59890",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T16:44:32.194805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T16:44:52.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-h35f-9h28-mq5c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "setuptools",
"vendor": "pypa",
"versions": [
{
"status": "affected",
"version": "\u003c 83.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-176",
"description": "CWE-176: Improper Handling of Unicode Encoding",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T16:02:07.519Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pypa/setuptools/security/advisories/GHSA-h35f-9h28-mq5c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-h35f-9h28-mq5c"
},
{
"name": "https://github.com/pypa/setuptools/commit/dd9f436a36486b4cb8a4c70a2321548b0be09b8f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pypa/setuptools/commit/dd9f436a36486b4cb8a4c70a2321548b0be09b8f"
},
{
"name": "https://github.com/pypa/setuptools/releases/tag/v83.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pypa/setuptools/releases/tag/v83.0.0"
}
],
"source": {
"advisory": "GHSA-h35f-9h28-mq5c",
"discovery": "UNKNOWN"
},
"title": "setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59890",
"datePublished": "2026-07-08T16:02:07.519Z",
"dateReserved": "2026-07-07T16:40:07.983Z",
"dateUpdated": "2026-07-08T16:44:52.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
PYSEC-2026-3447
Vulnerability from pysec - Published: 2026-07-08 17:17 - Updated: 2026-07-14 10:00
VLAI
Details
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.
Severity
6.1 (Medium)
Impacted products
| Name | purl | setuptools | pkg:pypi/setuptools |
|---|
Aliases
{
"affected": [
{
"ecosystem_specific": {},
"package": {
"ecosystem": "PyPI",
"name": "setuptools",
"purl": "pkg:pypi/setuptools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "83.0.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6b1",
"0.6b2",
"0.6b3",
"0.6b4",
"0.6c1",
"0.6c10",
"0.6c11",
"0.6c2",
"0.6c3",
"0.6c4",
"0.6c5",
"0.6c6",
"0.6c7",
"0.6c8",
"0.6c9",
"0.7.2",
"0.7.3",
"0.7.4",
"0.7.5",
"0.7.6",
"0.7.7",
"0.7.8",
"0.8",
"0.9",
"0.9.1",
"0.9.2",
"0.9.3",
"0.9.4",
"0.9.5",
"0.9.6",
"0.9.7",
"0.9.8",
"1.0",
"1.1",
"1.1.1",
"1.1.2",
"1.1.3",
"1.1.4",
"1.1.5",
"1.1.6",
"1.1.7",
"1.2",
"1.3",
"1.3.1",
"1.3.2",
"1.4",
"1.4.1",
"1.4.2",
"10.0",
"10.0.1",
"10.1",
"10.2",
"10.2.1",
"11.0",
"11.1",
"11.2",
"11.3",
"11.3.1",
"12.0",
"12.0.1",
"12.0.2",
"12.0.3",
"12.0.4",
"12.0.5",
"12.1",
"12.2",
"12.3",
"12.4",
"13.0",
"13.0.1",
"13.0.2",
"14.0",
"14.1",
"14.1.1",
"14.2",
"14.3",
"14.3.1",
"15.0",
"15.1",
"15.2",
"16.0",
"17.0",
"17.1",
"17.1.1",
"18.0",
"18.0.1",
"18.1",
"18.2",
"18.3",
"18.3.1",
"18.3.2",
"18.4",
"18.5",
"18.6",
"18.6.1",
"18.7",
"18.7.1",
"18.8",
"18.8.1",
"19.0",
"19.1",
"19.1.1",
"19.2",
"19.3",
"19.4",
"19.4.1",
"19.5",
"19.6",
"19.6.1",
"19.6.2",
"19.7",
"2.0",
"2.0.1",
"2.0.2",
"2.1",
"2.1.1",
"2.1.2",
"2.2",
"20.0",
"20.1",
"20.1.1",
"20.10.1",
"20.2.2",
"20.3",
"20.3.1",
"20.4",
"20.6.6",
"20.6.7",
"20.6.8",
"20.7.0",
"20.8.0",
"20.8.1",
"20.9.0",
"21.0.0",
"21.1.0",
"21.2.0",
"21.2.1",
"21.2.2",
"22.0.0",
"22.0.1",
"22.0.2",
"22.0.4",
"22.0.5",
"23.0.0",
"23.1.0",
"23.2.0",
"23.2.1",
"24.0.0",
"24.0.1",
"24.0.2",
"24.0.3",
"24.1.0",
"24.1.1",
"24.2.0",
"24.2.1",
"24.3.0",
"24.3.1",
"25.0.0",
"25.0.1",
"25.0.2",
"25.1.0",
"25.1.1",
"25.1.2",
"25.1.3",
"25.1.4",
"25.1.5",
"25.1.6",
"25.2.0",
"25.3.0",
"25.4.0",
"26.0.0",
"26.1.0",
"26.1.1",
"27.0.0",
"27.1.0",
"27.1.2",
"27.2.0",
"27.3.0",
"27.3.1",
"28.0.0",
"28.1.0",
"28.2.0",
"28.3.0",
"28.4.0",
"28.5.0",
"28.6.0",
"28.6.1",
"28.7.0",
"28.7.1",
"28.8.0",
"28.8.1",
"29.0.0",
"29.0.1",
"3.0",
"3.0.1",
"3.0.2",
"3.1",
"3.2",
"3.3",
"3.4",
"3.4.1",
"3.4.2",
"3.4.3",
"3.4.4",
"3.5",
"3.5.1",
"3.5.2",
"3.6",
"3.7",
"3.7.1",
"3.8",
"3.8.1",
"30.0.0",
"30.1.0",
"30.2.0",
"30.2.1",
"30.3.0",
"30.4.0",
"31.0.0",
"31.0.1",
"32.0.0",
"32.1.0",
"32.1.1",
"32.1.2",
"32.1.3",
"32.2.0",
"32.3.0",
"32.3.1",
"33.1.0",
"33.1.1",
"34.0.0",
"34.0.1",
"34.0.2",
"34.0.3",
"34.1.0",
"34.1.1",
"34.2.0",
"34.3.0",
"34.3.1",
"34.3.2",
"34.3.3",
"34.4.0",
"34.4.1",
"35.0.0",
"35.0.1",
"35.0.2",
"36.0.1",
"36.1.0",
"36.1.1",
"36.2.0",
"36.2.1",
"36.2.2",
"36.2.3",
"36.2.4",
"36.2.5",
"36.2.6",
"36.2.7",
"36.3.0",
"36.4.0",
"36.5.0",
"36.6.0",
"36.6.1",
"36.7.0",
"36.7.1",
"36.7.2",
"36.8.0",
"37.0.0",
"38.0.0",
"38.1.0",
"38.2.0",
"38.2.1",
"38.2.3",
"38.2.4",
"38.2.5",
"38.3.0",
"38.4.0",
"38.4.1",
"38.5.0",
"38.5.1",
"38.5.2",
"38.6.0",
"38.6.1",
"38.7.0",
"39.0.0",
"39.0.1",
"39.1.0",
"39.2.0",
"4.0",
"4.0.1",
"40.0.0",
"40.1.0",
"40.1.1",
"40.2.0",
"40.3.0",
"40.4.0",
"40.4.1",
"40.4.2",
"40.4.3",
"40.5.0",
"40.6.0",
"40.6.1",
"40.6.2",
"40.6.3",
"40.7.0",
"40.7.1",
"40.7.2",
"40.7.3",
"40.8.0",
"40.9.0",
"41.0.0",
"41.0.1",
"41.1.0",
"41.2.0",
"41.3.0",
"41.4.0",
"41.5.0",
"41.5.1",
"41.6.0",
"42.0.0",
"42.0.1",
"42.0.2",
"43.0.0",
"44.0.0",
"44.1.0",
"44.1.1",
"45.0.0",
"45.1.0",
"45.2.0",
"45.3.0",
"46.0.0",
"46.1.0",
"46.1.1",
"46.1.2",
"46.1.3",
"46.2.0",
"46.3.0",
"46.3.1",
"46.4.0",
"47.0.0",
"47.1.0",
"47.1.1",
"47.2.0",
"47.3.0",
"47.3.1",
"47.3.2",
"48.0.0",
"49.0.0",
"49.0.1",
"49.1.0",
"49.1.1",
"49.1.2",
"49.1.3",
"49.2.0",
"49.2.1",
"49.3.0",
"49.3.1",
"49.3.2",
"49.4.0",
"49.5.0",
"49.6.0",
"5.0",
"5.0.1",
"5.0.2",
"5.1",
"5.2",
"5.3",
"5.4",
"5.4.1",
"5.4.2",
"5.5",
"5.5.1",
"5.6",
"5.7",
"5.8",
"50.0.0",
"50.0.1",
"50.0.2",
"50.0.3",
"50.1.0",
"50.2.0",
"50.3.0",
"50.3.1",
"50.3.2",
"51.0.0",
"51.1.0",
"51.1.0.post20201221",
"51.1.1",
"51.1.2",
"51.2.0",
"51.3.0",
"51.3.1",
"51.3.2",
"51.3.3",
"52.0.0",
"53.0.0",
"53.1.0",
"54.0.0",
"54.1.0",
"54.1.1",
"54.1.2",
"54.1.3",
"54.2.0",
"56.0.0",
"56.1.0",
"56.2.0",
"57.0.0",
"57.1.0",
"57.2.0",
"57.3.0",
"57.4.0",
"57.5.0",
"58.0.0",
"58.0.1",
"58.0.2",
"58.0.3",
"58.0.4",
"58.1.0",
"58.2.0",
"58.3.0",
"58.4.0",
"58.5.0",
"58.5.1",
"58.5.2",
"58.5.3",
"59.0.1",
"59.1.0",
"59.1.1",
"59.2.0",
"59.3.0",
"59.4.0",
"59.5.0",
"59.6.0",
"59.7.0",
"59.8.0",
"6.0.1",
"6.0.2",
"6.1",
"60.0.0",
"60.0.1",
"60.0.2",
"60.0.3",
"60.0.4",
"60.0.5",
"60.1.0",
"60.1.1",
"60.10.0",
"60.2.0",
"60.3.0",
"60.3.1",
"60.4.0",
"60.5.0",
"60.6.0",
"60.7.0",
"60.7.1",
"60.8.0",
"60.8.1",
"60.8.2",
"60.9.0",
"60.9.1",
"60.9.2",
"60.9.3",
"61.0.0",
"61.1.0",
"61.1.1",
"61.2.0",
"61.3.0",
"61.3.1",
"62.0.0",
"62.1.0",
"62.2.0",
"62.3.0",
"62.3.1",
"62.3.2",
"62.3.3",
"62.3.4",
"62.4.0",
"62.5.0",
"62.6.0",
"63.0.0",
"63.0.0b1",
"63.1.0",
"63.2.0",
"63.3.0",
"63.4.0",
"63.4.1",
"63.4.2",
"63.4.3",
"64.0.0",
"64.0.1",
"64.0.2",
"64.0.3",
"65.0.0",
"65.0.1",
"65.0.2",
"65.1.0",
"65.1.1",
"65.2.0",
"65.3.0",
"65.4.0",
"65.4.1",
"65.5.0",
"65.5.1",
"65.6.0",
"65.6.1",
"65.6.2",
"65.6.3",
"65.7.0",
"66.0.0",
"66.1.0",
"66.1.1",
"67.0.0",
"67.1.0",
"67.2.0",
"67.3.1",
"67.3.2",
"67.3.3",
"67.4.0",
"67.5.0",
"67.5.1",
"67.6.0",
"67.6.1",
"67.7.0",
"67.7.1",
"67.7.2",
"67.8.0",
"68.0.0",
"68.1.0",
"68.1.2",
"68.2.0",
"68.2.1",
"68.2.2",
"69.0.0",
"69.0.1",
"69.0.2",
"69.0.3",
"69.1.0",
"69.1.1",
"69.2.0",
"69.3.0",
"69.3.1",
"69.4.0",
"69.4.1",
"69.4.2",
"69.5.0",
"69.5.1",
"7.0",
"70.0.0",
"70.1.0",
"70.1.1",
"70.2.0",
"70.3.0",
"71.0.0",
"71.0.1",
"71.0.2",
"71.0.3",
"71.0.4",
"71.1.0",
"72.0.0",
"72.1.0",
"72.2.0",
"73.0.0",
"73.0.1",
"74.0.0",
"74.1.0",
"74.1.1",
"74.1.2",
"74.1.3",
"75.0.0",
"75.1.0",
"75.2.0",
"75.3.0",
"75.3.1",
"75.3.2",
"75.3.3",
"75.3.4",
"75.4.0",
"75.5.0",
"75.6.0",
"75.7.0",
"75.8.0",
"75.8.1",
"75.8.2",
"75.9.0",
"75.9.1",
"76.0.0",
"76.1.0",
"77.0.1",
"77.0.3",
"78.0.1",
"78.0.2",
"78.1.0",
"78.1.1",
"79.0.0",
"79.0.1",
"8.0",
"8.0.1",
"8.0.2",
"8.0.3",
"8.0.4",
"8.1",
"8.2",
"8.2.1",
"8.3",
"80.0.0",
"80.0.1",
"80.1.0",
"80.10.1",
"80.10.2",
"80.2.0",
"80.3.0",
"80.3.1",
"80.4.0",
"80.6.0",
"80.7.0",
"80.7.1",
"80.8.0",
"80.9.0",
"81.0.0",
"82.0.0",
"82.0.1",
"9.0",
"9.0.1",
"9.1"
]
}
],
"aliases": [
"CVE-2026-59890",
"GHSA-h35f-9h28-mq5c"
],
"details": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.",
"id": "PYSEC-2026-3447",
"modified": "2026-07-14T10:00:10.310542Z",
"published": "2026-07-08T17:17:27.020Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/pypa/setuptools/releases/tag/v83.0.0"
},
{
"type": "FIX",
"url": "https://github.com/pypa/setuptools/commit/dd9f436a36486b4cb8a4c70a2321548b0be09b8f"
},
{
"type": "EVIDENCE",
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-h35f-9h28-mq5c"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}