CVE-2026-59890

Public on 2026-07-08
Modified on 2026-07-10
Description
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
6.1
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core python-setuptools Not Affected
Amazon Linux 2023 python-setuptools Not Affected
Amazon Linux 2023 python-setuptools-rust Not Affected
Amazon Linux 2023 python-setuptools_scm Not Affected
Amazon Linux 2 - Core python2-setuptools Not Affected
Amazon Linux 2 - Python3 Extra python3-setuptools No Fix Planned
Amazon Linux 2023 python3.11-setuptools Not Affected
Amazon Linux 2023 python3.12-setuptools Not Affected
Amazon Linux 2023 python3.13-setuptools Not Affected
Amazon Linux 2023 python3.13-setuptools-rust Not Affected
Amazon Linux 2023 python3.13-setuptools_scm Not Affected
Amazon Linux 2023 python3.14-setuptools Not Affected
Amazon Linux 2 - Python3.8 Extra python38-setuptools No Fix Planned

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N