Description
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.
Published: 2026-07-08
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 11 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1025
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 10 Jul 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python setuptools
Vendors & Products Python
Python setuptools

Wed, 08 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Description setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.
Title setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+
Weaknesses CWE-176
CWE-697
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}


Subscriptions

Python Setuptools
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T16:44:52.269Z

Reserved: 2026-07-07T16:40:07.983Z

Link: CVE-2026-59890

cve-icon Vulnrichment

Updated: 2026-07-08T16:44:07.106Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-08T16:02:07Z

Links: CVE-2026-59890 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T14:45:15Z

Weaknesses