Releases1.22K
Frequency16 hours 17 minutes
Last Release
Downloads8.95B
Stars10.5K
Python is an interpreted, interactive, object-oriented, open-source programming language.

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
< 3.15.07.5 HIGH

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

<= 3.14.4, = 3.15.07.5 HIGH

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

< 3.15.06.1 MEDIUM

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

< 3.13.13, >= 3.14.0, < 3.14.4, = 3.15.03.3 LOW

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

< 3.10.0, >= 3.13.0, < 3.13.13, >= 3.14.0, < 3.14.4, = 3.15.07.5 HIGH

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

< 3.13.13, >= 3.14.0, < 3.14.4, = 3.15.07.5 HIGH

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

< 3.13.13, >= 3.14.0, < 3.14.4, = 3.15.03.3 LOW

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

< 3.13.10, >= 3.14.0, < 3.14.1, = 3.15.05.3 MEDIUM

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars.

< 3.13.11, >= 3.14.0, < 3.14.2, = 3.15.05.3 MEDIUM

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

< 3.13.10, >= 3.14.0, < 3.14.1, = 3.15.05.5 MEDIUM

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

= *, = 3.14.0, = 3.15.0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.117.5 HIGH

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

< 3.9.0, >= 3.13.1, < 3.13.11, >= 3.14.0, < 3.14.1, = 3.15.05.5 MEDIUM

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

= 3.14.0, >= 3.13.0, < 3.13.1, >= 3.12.0, < 3.12.8, >= 3.11.0, < 3.11.11, >= 3.10.0, < 3.10.16, < 3.9.217.8 HIGH

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

= 3.13.0, = *, >= 3.12.0, < 3.12.6, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.107.5 HIGH

There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

= 3.13.0, = *, >= 3.12.0, < 3.12.6, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.107.5 HIGH

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.