Hi,

The following vulnerability was published for setuptools.

CVE-2026-23949[0]:
| jaraco.context, an open-source software package that provides some
| useful decorators and context managers, has a Zip Slip path
| traversal vulnerability in the `jaraco.context.tarball()` function
| starting in version 5.2.0 and prior to version 6.1.0. The
| vulnerability may allow attackers to extract files outside the
| intended extraction directory when malicious tar archives are
| processed. The strip_first_component filter splits the path on the
| first `/` and extracts the second component, while allowing `../`
| sequences. Paths like `dummy_dir/../../etc/passwd` become
| `../../etc/passwd`. Note that this suffers from a nested tarball
| attack as well with multi-level tar files such as
| `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a
| traversal `dummy_dir/../../config/.env` that also gets translated to
| `../../config/.env`. Version 6.1.0 contains a patch for the issue.

setuptools includes a bundled version of jaraco.context.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-23949
https://www.cve.org/CVERecord?id=CVE-2026-23949
[1] https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2

Regards,
Salvatore