Improper Handling of Unicode Encoding in setuptools - CVE-2026-59890
Published: July 9, 2026
setuptools
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper handling of unicode encoding in setuptools FileList manifest exclusion matching when building a source distribution on normalization-preserving filesystems with Unicode filenames. A remote attacker can trick the victim into building and publishing a source distribution containing a specially named file to disclose sensitive information.
User interaction is required to build and publish the source distribution, and the issue is specific to Unicode normalization collisions such as NFC/NFD on macOS APFS or HFS+.