pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2387-1 advisory.

    This update for python fixes the following issues

    - CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting     maliciously       crafted wheel archives (bsc#1257599).
    - CVE-2026-3219: pip doesn't reject concatenated ZIP (bsc#1262429).
    - CVE-2026-4786: Incomplete mitigation of %action expansion for command injection to webbrowser.open()     (bsc#1262319).
    - CVE-2026-6019: BaseCookie.js_output() does not neutralize embedded characters (bsc#1262654).
    - CVE-2026-6100: arbitrary code execution or information disclosure via use-after-free in decompression     modules       (bsc#1262098).
    - CVE-2026-6357: pip self-update functionality can import newly installed modules after wheel installation       (bsc#1263442).

    Changes for python:

    - For SLE-12-SP1 use vendored libffi (bsc#1261652). We have      libffi4.so from SP3 only.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the python3 package has been released.

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3317 advisory.

    pip prior to version 26.1 would run self-update check functionality after installing wheel files which     required importing well-known Python modules names. These module imports were intentionally deferred to     increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are     installed to prevent newly-installed modules from being imported shortly after the installation of a wheel     package. Users should still review package contents prior to installation. (CVE-2026-6357)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1654 advisory.

    pip prior to version 26.1 would run self-update check functionality after installing wheel files which     required importing well-known Python modules names. These module imports were intentionally deferred to     increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are     installed to prevent newly-installed modules from being imported shortly after the installation of a wheel     package. Users should still review package contents prior to installation. (CVE-2026-6357)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1665 advisory.

    pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a     tar and ZIP file. This behavior could result in confusing installation behavior, such as installing     incorrect files according to the filename of the archive. New behavior only proceeds with installation     if the file identifies uniquely as a ZIP or tar archive, not as both. (CVE-2026-3219)

    pip prior to version 26.1 would run self-update check functionality after installing wheel files which     required importing well-known Python modules names. These module imports were intentionally deferred to     increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are     installed to prevent newly-installed modules from being imported shortly after the installation of a wheel     package. Users should still review package contents prior to installation. (CVE-2026-6357)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1653 advisory.

    pip prior to version 26.1 would run self-update check functionality after installing wheel files which     required importing well-known Python modules names. These module imports were intentionally deferred to     increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are     installed to prevent newly-installed modules from being imported shortly after the installation of a wheel     package. Users should still review package contents prior to installation. (CVE-2026-6357)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1666 advisory.

    pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a     tar and ZIP file. This behavior could result in confusing installation behavior, such as installing     incorrect files according to the filename of the archive. New behavior only proceeds with installation     if the file identifies uniquely as a ZIP or tar archive, not as both. (CVE-2026-3219)

    pip prior to version 26.1 would run self-update check functionality after installing wheel files which     required importing well-known Python modules names. These module imports were intentionally deferred to     increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are     installed to prevent newly-installed modules from being imported shortly after the installation of a wheel     package. Users should still review package contents prior to installation. (CVE-2026-6357)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1689 advisory.

    pip prior to version 26.1 would run self-update check functionality after installing wheel files which     required importing well-known Python modules names. These module imports were intentionally deferred to     increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are     installed to prevent newly-installed modules from being imported shortly after the installation of a wheel     package. Users should still review package contents prior to installation. (CVE-2026-6357)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - pip prior to version 26.1 would run self-update check functionality after installing wheel files which     required importing well-known Python modules names. These module imports were intentionally deferred to     increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are     installed to prevent newly-installed modules from being imported shortly after the installation of a wheel     package. Users should still review package contents prior to installation. (CVE-2026-6357)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
321027	SUSE SLES15 Security Update : python (SUSE-SU-2026:2387-1)	Nessus	SuSE Local Security Checks	critical
318606	Photon OS 5.0: Python3 PHSA-2026-5.0-0862	Nessus	PhotonOS Local Security Checks	critical
316997	Amazon Linux 2 : python-pip, --advisory ALAS2-2026-3317 (ALAS-2026-3317)	Nessus	Amazon Linux Local Security Checks	medium
315659	Amazon Linux 2023 : python3.13-pip, python3.13-pip-wheel (ALAS2023-2026-1654)	Nessus	Amazon Linux Local Security Checks	medium
315656	Amazon Linux 2023 : python3.11-pip, python3.11-pip-wheel (ALAS2023-2026-1665)	Nessus	Amazon Linux Local Security Checks	medium
315645	Amazon Linux 2023 : python3.14-pip, python3.14-pip-wheel (ALAS2023-2026-1653)	Nessus	Amazon Linux Local Security Checks	medium
315636	Amazon Linux 2023 : python3.12-pip, python3.12-pip-wheel (ALAS2023-2026-1666)	Nessus	Amazon Linux Local Security Checks	medium
315029	Amazon Linux 2023 : python3-pip, python3-pip-wheel (ALAS2023-2026-1689)	Nessus	Amazon Linux Local Security Checks	medium
310626	Linux Distros Unpatched Vulnerability : CVE-2026-6357	Nessus	Misc.	medium

Detections

Analytics

CVE-2026-6357

medium

Tenable Plugins

critical

critical

medium

medium

medium

medium

medium

medium

medium