CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-8643 |
MEDIUM |
pip |
25.0.1 |
26.1.2 |
2026-06-01T17:17:35.77Z |
2026-07-09T10:18:32.887540943Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/python:3.12 |
public.ecr.aws/lambda/python@sha256:1469ffd8f9dddd69729abc4ae0d786e6393775aa1ad5f716eacc26d0ff4031c4 |
public.ecr.aws/lambda/python:3.11 |
public.ecr.aws/lambda/python@sha256:2498fc1e13c37cd371afaa8b9dac01ae33f888442f5445b8449cd2484f4505a1 |
public.ecr.aws/lambda/python:3.10 |
public.ecr.aws/lambda/python@sha256:86975d6eb11fa0733ad87cce106af309f64949af210d2e1e03dd41fcfd3178f3 |
Description
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Remediation Steps
- Update the affected package
pip from version 25.0.1 to 26.1.2.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
CVE Details
MEDIUMpip25.0.126.1.22026-06-01T17:17:35.77Z2026-07-09T10:18:32.887540943ZAffected Docker Images
public.ecr.aws/lambda/python:3.12public.ecr.aws/lambda/python@sha256:1469ffd8f9dddd69729abc4ae0d786e6393775aa1ad5f716eacc26d0ff4031c4public.ecr.aws/lambda/python:3.11public.ecr.aws/lambda/python@sha256:2498fc1e13c37cd371afaa8b9dac01ae33f888442f5445b8449cd2484f4505a1public.ecr.aws/lambda/python:3.10public.ecr.aws/lambda/python@sha256:86975d6eb11fa0733ad87cce106af309f64949af210d2e1e03dd41fcfd3178f3Description
Remediation Steps
pipfrom version25.0.1to26.1.2.About this issue