CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59890

mediumCVSS 6.1covered by 2 sourcesfirst seen 2026-07-02
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.

CSIRTS triage

What
A MANIFEST.in exclusion bypass can occur due to Unicode normalization collision on macOS APFS/HFS+.
Who is affected
Users of setuptools on macOS are affected.
Urgency
Remediation is medium urgency due to the medium severity of the issue.
Action
Update setuptools to the latest version.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-59890

Get an email if CVE-2026-59890 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-59890

CVE.org record

Embed the live status

CVE-2026-59890 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59890 status](https://www.csirts.com/badge/CVE-2026-59890)](https://www.csirts.com/cve/CVE-2026-59890)