Search
Find a vulnerability
Search criteria
128 vulnerabilities found for CPython by Python Software Foundation
CVE-2026-15308 (GCVE-0-2026-15308)
Vulnerability from nvd – Published: 2026-07-09 17:10 – Updated: 2026-07-09 19:32
VLAI
EPSS
VEX
Title
Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
Summary
The incremental HTML parser (html.parser.HTMLParser) allows for CPU
denial-of-service through repeated unterminated markup declarations when
processing uncontrolled data.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:31:19.781935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:31:27.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-07-09T19:32:36.790Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/09/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"html.parser",
"html"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Edward-x (https://github.com/YLChen-007)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Gregory P. Smith (https://github.com/gpshead)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The incremental HTML parser (html.parser.HTMLParser) allows for CPU\ndenial-of-service through repeated unterminated markup declarations when\nprocessing uncontrolled data."
}
],
"value": "The incremental HTML parser (html.parser.HTMLParser) allows for CPU\ndenial-of-service through repeated unterminated markup declarations when\nprocessing uncontrolled data."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T19:00:03.303Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F6453LWKSHKCTWFLCOURWPLETNUIW2Z5/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/153031"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/153030"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/07efb08123ba9367a7107325adb9d5626dca1ca9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/7933f4bf7131aa4140750f9404f5de0aa2969ced"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/bcf98ddbc40ec9b3ee87da0124a5660b19b7e606"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/e9f92ac0b298292e7ff998e52cb8ccacfb27a0bd"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-15308",
"datePublished": "2026-07-09T17:10:57.317Z",
"dateReserved": "2026-07-09T17:04:11.926Z",
"dateUpdated": "2026-07-09T19:32:36.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4360 (GCVE-0-2026-4360)
Vulnerability from nvd – Published: 2026-06-30 14:45 – Updated: 2026-07-07 17:01
VLAI
EPSS
VEX
Title
Tarfile.extract() doesn't fully respect filter parameter
Summary
In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4360",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T15:28:24.835246Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:28:30.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"tarfile"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Michael Scovetta (https://github.com/scovetta)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Petr Viktorin (https://github.com/encukou)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter=\u0027data\u0027 to the extract() function."
}
],
"value": "In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter=\u0027data\u0027 to the extract() function."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T17:01:15.080Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/TWZW2PC2AZOV6FENIHFSRC63OM7MBGSB/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/151988"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/151987"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/5e0ef3f1afe892e4f64eb83368db57ac4c40cba0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/7b57e8d51446297b8c7c482d224bc5f1938e4301"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/7ccdbaba2c54250a70d7f25632152df7655a5e0a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/eee3ddf0ca10283cc7fea724aae9cd8665f8d15e"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/d2b2f5eacab4dd48446b63340613b05dcbbf0b44"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Tarfile.extract() doesn\u0027t fully respect filter parameter",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-4360",
"datePublished": "2026-06-30T14:45:35.601Z",
"dateReserved": "2026-03-17T19:25:46.527Z",
"dateUpdated": "2026-07-07T17:01:15.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11972 (GCVE-0-2026-11972)
Vulnerability from nvd – Published: 2026-06-23 22:02 – Updated: 2026-06-30 15:13
VLAI
EPSS
VEX
Title
tarfile opened in streaming mode mishandles EOF
Summary
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:33:49.665045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:34:06.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"tarfile"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ryan Hileman (https://github.com/lunixbochs)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Petr Viktorin (https://github.com/encukou)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "When using the \"tarfile\" module with a file opened in \"streaming mode\" (mode=\"r|\") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer."
}
],
"value": "When using the \"tarfile\" module with a file opened in \"streaming mode\" (mode=\"r|\") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-252",
"description": "CWE-252",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-606",
"description": "CWE-606",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-770",
"description": "CWE-770",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:13:21.383Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/151981"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/151982"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AXPSKKTSRKXTTJULW3XSIC74WZNAAPPB/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/3f031d431f80668e14f3bc066bbf4369cd9281b9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/4ce6bf7c8aa7725828a38981c306f214c1f29365"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/7f0dc59c9a70f8f3b4da33d7c4a2ba552a7acc21"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/e86666c9dd256d52d0fbef6feb1ea4a51768fdec"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/eb63c0f94dfcbea7fda8eab6213818e134d67192"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "tarfile opened in streaming mode mishandles EOF",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-11972",
"datePublished": "2026-06-23T22:02:45.434Z",
"dateReserved": "2026-06-11T11:35:05.520Z",
"dateUpdated": "2026-06-30T15:13:21.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0864 (GCVE-0-2026-0864)
Vulnerability from nvd – Published: 2026-06-23 17:42 – Updated: 2026-06-24 12:55
VLAI
EPSS
VEX
Title
Configuration Injection via Carriage Return (\r) in write() method
Summary
When using the "configparser" module to write configuration files
containing multi-line text values with carriage return characters (\r) the
resulting file could be injected with unexpected keys and values if the
attacker controls the written value.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T18:34:23.504725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T18:34:49.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "D0n9 (https://github.com/D0n9)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Petr Viktorin (https://github.com/encukou)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "When using the \"configparser\" module to write configuration files\ncontaining multi-line text values with carriage return characters (\\r) the\nresulting file could be injected with unexpected keys and values if the\nattacker controls the written value."
}
],
"value": "When using the \"configparser\" module to write configuration files\ncontaining multi-line text values with carriage return characters (\\r) the\nresulting file could be injected with unexpected keys and values if the\nattacker controls the written value."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T12:55:42.471Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/151559"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/143927"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/0adb386f6e68eb2e73d32e19f235d012df009528"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/71f2e02a52d47417a6fd69f456346cd8aa7aca98"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/aaf850fd333cd89e9aada03d92aaa788a6cb1bb8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Configuration Injection via Carriage Return (\\r) in write() method",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-0864",
"datePublished": "2026-06-23T17:42:01.947Z",
"dateReserved": "2026-01-12T16:07:55.453Z",
"dateUpdated": "2026-06-24T12:55:42.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11940 (GCVE-0-2026-11940)
Vulnerability from nvd – Published: 2026-06-23 16:04 – Updated: 2026-06-30 15:13
VLAI
EPSS
VEX
Title
tarfile extraction filter bypass allows escaping the destination directory
Summary
tarfile.extractall() with the 'data' or 'tar'
filter could be bypassed by a crafted archive where a hardlink
references a symlink stored at a deeper name than the hardlink itself.
The extraction fallback validated the symlink at it's archived location
but recreated it at the hardlink's shallower
path, letting a relative
target the filter judged contained escape the destination directory.
This allowed a malicious tar archive to create a symlink pointing
outside the destination, enabling out-of-destination file reads or
writes. This was an incomplete fix of CVE-2025-4330.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T17:57:25.652265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T17:57:32.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Haruki Oyama (https://github.com/harukioya)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Petr Viktorin (https://github.com/encukou)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "\u003cspan\u003etarfile.extractall()\u003c/span\u003e with the \u003cspan\u003e\u0027data\u0027\u003c/span\u003e or \u003cspan\u003e\u0027tar\u0027\u003c/span\u003e\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u0026nbsp; \nThe extraction fallback validated the symlink at it\u0027s archived location \nbut recreated it at the hardlink\u0027s shallower\u003cbr\u003epath, letting a relative\n target the filter judged contained escape the destination directory.\u0026nbsp; \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330."
}
],
"value": "tarfile.extractall() with the \u0027data\u0027 or \u0027tar\u0027\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u00a0 \nThe extraction fallback validated the symlink at it\u0027s archived location \nbut recreated it at the hardlink\u0027s shallower\npath, letting a relative\n target the filter judged contained escape the destination directory.\u00a0 \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:13:33.568Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/151559"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/LD6QIISNQFQYOIEPJNEUIPV7S3V76FZH/"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/151558"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/672825e2f36a57e173959b0d9d409d4560dab8df"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/771d12dda5140313db0ac550292987975651bbde"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/79c06bd5c6afa3c440d50faf7ee1b147c8832b4c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/be13e86f6b9788a6f4d0419dffef72cbae5865c9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "tarfile extraction filter bypass allows escaping the destination directory",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-11940",
"datePublished": "2026-06-23T16:04:17.321Z",
"dateReserved": "2026-06-10T19:50:59.923Z",
"dateUpdated": "2026-06-30T15:13:33.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12003 (GCVE-0-2026-12003)
Vulnerability from nvd – Published: 2026-06-16 15:18 – Updated: 2026-06-23 17:55
VLAI
EPSS
VEX
Title
CPython >3.11 Insecure Input Validation resulting in privilege escalation
Summary
To allow builds of Python to be run from an in-tree layout (rather than
an installed file layout), the VPATH variable is defined at build time
and used to locate certain landmarks - specifically,
Modules/setup.local. When this landmark is found relative to VPATH
relative to the executable, Python assumes it is running in a source
tree and generates a different default sys.path. This code remains in
release builds, so that release-ready builds can be built in-tree.
On Windows, since builds are written to 'PCbuild/', the value of
VPATH is set to '..\..', which results in a landmark of
'..\..\Modules\setup.local'. This path is outside the install directory
of Python, and may have different permissions, potentially allowing a
low-privilege user to create the landmark and an alternative `Lib`
folder that will be discovered by an otherwise restricted install.
Such a setup occurs with the legacy default install location for all
users (in the now superseded EXE installer), due to how Windows allows
all users to create folders in the root directory of their OS drive.
Our recommended mitigation on Windows is to migrate away from the
legacy installer and use the new [Python install
manager](https://www.python.org/downloads/latest/pymanager/) to install
for the current user. Installs where the directory two levels above the
Python installation directory have equivalent permissions are unaffected
(in general, a per-user install cannot be modified at all by other
users, removing any escalation of privilege risk, and could be directly
modified by a privileged user, making the potential tampering
irrelevant). Alternative mitigations might include preemptively creating
and restricting access to a `Modules` directory. Be aware that only 3.13
and 3.14 will receive updated legacy installers - earlier fixes are only
provided as sources.
Platforms other than Windows allow VPATH to be overridden, but as they
don't usually use a separated directory in the build for binaries, are
unlikely to have a landmark reference outside of the install directory.
The landmark detection involving VPATH is a fallback for when a more
specific landmark - .\pybuilddir.txt - is absent, and was included for
compatibility. Future releases of Python will no longer include the
fallback, and so builds will need to generate or preserve the
pybuilddir.txt file in order to work in-tree. This landmark file has
been generated on Windows since 3.11, and on other platforms for longer.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0b3
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T17:53:54.916961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T17:56:25.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-16T19:12:36.706Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/16/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0b3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jake Yamaki (https://github.com/b6938236)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Steve Dower (https://github.com/zooba)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "To allow builds of Python to be run from an in-tree layout (rather than\u003cbr\u003ean installed file layout), the VPATH variable is defined at build time\u003cbr\u003eand used to locate certain landmarks - specifically,\u003cbr\u003eModules/setup.local. When this landmark is found relative to VPATH\u003cbr\u003erelative to the executable, Python assumes it is running in a source\u003cbr\u003etree and generates a different default sys.path. This code remains in\u003cbr\u003erelease builds, so that release-ready builds can be built in-tree.\u003cbr\u003e\u003cbr\u003eOn Windows, since builds are written to \u0027PCbuild/\u0027, the value of\u003cbr\u003eVPATH is set to \u0027..\\..\u0027, which results in a landmark of\u003cbr\u003e\u0027..\\..\\Modules\\setup.local\u0027. This path is outside the install directory\u003cbr\u003eof Python, and may have different permissions, potentially allowing a\u003cbr\u003elow-privilege user to create the landmark and an alternative `Lib`\u003cbr\u003efolder that will be discovered by an otherwise restricted install.\u003cbr\u003e\u003cbr\u003eSuch a setup occurs with the legacy default install location for all\u003cbr\u003eusers (in the now superseded EXE installer), due to how Windows allows\u003cbr\u003eall users to create folders in the root directory of their OS drive.\u003cbr\u003e\u003cbr\u003eOur recommended mitigation on Windows is to migrate away from the\u003cbr\u003elegacy installer and use the new [Python install\u003cbr\u003emanager](https://www.python.org/downloads/latest/pymanager/) to install\u003cbr\u003efor the current user. Installs where the directory two levels above the\u003cbr\u003ePython installation directory have equivalent permissions are unaffected\u003cbr\u003e(in general, a per-user install cannot be modified at all by other\u003cbr\u003eusers, removing any escalation of privilege risk, and could be directly\u003cbr\u003emodified by a privileged user, making the potential tampering\u003cbr\u003eirrelevant). Alternative mitigations might include preemptively creating\u003cbr\u003eand restricting access to a `Modules` directory. Be aware that only 3.13\u003cbr\u003eand 3.14 will receive updated legacy installers - earlier fixes are only\u003cbr\u003eprovided as sources.\u003cbr\u003e\u003cbr\u003ePlatforms other than Windows allow VPATH to be overridden, but as they\u003cbr\u003edon\u0027t usually use a separated directory in the build for binaries, are\u003cbr\u003eunlikely to have a landmark reference outside of the install directory.\u003cbr\u003e\u003cbr\u003eThe landmark detection involving VPATH is a fallback for when a more\u003cbr\u003especific landmark - .\\pybuilddir.txt - is absent, and was included for\u003cbr\u003ecompatibility. Future releases of Python will no longer include the\u003cbr\u003efallback, and so builds will need to generate or preserve the\u003cbr\u003epybuilddir.txt file in order to work in-tree. This landmark file has\u003cbr\u003ebeen generated on Windows since 3.11, and on other platforms for longer."
}
],
"value": "To allow builds of Python to be run from an in-tree layout (rather than\nan installed file layout), the VPATH variable is defined at build time\nand used to locate certain landmarks - specifically,\nModules/setup.local. When this landmark is found relative to VPATH\nrelative to the executable, Python assumes it is running in a source\ntree and generates a different default sys.path. This code remains in\nrelease builds, so that release-ready builds can be built in-tree.\n\nOn Windows, since builds are written to \u0027PCbuild/\u0027, the value of\nVPATH is set to \u0027..\\..\u0027, which results in a landmark of\n\u0027..\\..\\Modules\\setup.local\u0027. This path is outside the install directory\nof Python, and may have different permissions, potentially allowing a\nlow-privilege user to create the landmark and an alternative `Lib`\nfolder that will be discovered by an otherwise restricted install.\n\nSuch a setup occurs with the legacy default install location for all\nusers (in the now superseded EXE installer), due to how Windows allows\nall users to create folders in the root directory of their OS drive.\n\nOur recommended mitigation on Windows is to migrate away from the\nlegacy installer and use the new [Python install\nmanager](https://www.python.org/downloads/latest/pymanager/) to install\nfor the current user. Installs where the directory two levels above the\nPython installation directory have equivalent permissions are unaffected\n(in general, a per-user install cannot be modified at all by other\nusers, removing any escalation of privilege risk, and could be directly\nmodified by a privileged user, making the potential tampering\nirrelevant). Alternative mitigations might include preemptively creating\nand restricting access to a `Modules` directory. Be aware that only 3.13\nand 3.14 will receive updated legacy installers - earlier fixes are only\nprovided as sources.\n\nPlatforms other than Windows allow VPATH to be overridden, but as they\ndon\u0027t usually use a separated directory in the build for binaries, are\nunlikely to have a landmark reference outside of the install directory.\n\nThe landmark detection involving VPATH is a fallback for when a more\nspecific landmark - .\\pybuilddir.txt - is absent, and was included for\ncompatibility. Future releases of Python will no longer include the\nfallback, and so builds will need to generate or preserve the\npybuilddir.txt file in order to work in-tree. This landmark file has\nbeen generated on Windows since 3.11, and on other platforms for longer."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T17:55:53.735Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/151545"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/151544"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://https://mail.python.org/archives/list/security-announce@python.org/thread/JIFOBO7UX3LY4VJKJUOKYJV62CFR2IRH/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/16c40f944b7bff724a403cf4902763d095bb4b2a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/9e863fab283eddca9c2a8f9d1ee30f4dc243e314"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/a86de0bc236fbb9452f98998fc8437e9fca35700"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/b93d6d3399adbd3a5037b6b92fc3587c85ac5d56"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CPython \u003e3.11 Insecure Input Validation resulting in privilege escalation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-12003",
"datePublished": "2026-06-16T15:18:42.998Z",
"dateReserved": "2026-06-11T17:05:37.519Z",
"dateUpdated": "2026-06-23T17:55:53.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9669 (GCVE-0-2026-9669)
Vulnerability from nvd – Published: 2026-06-08 22:01 – Updated: 2026-07-07 16:59
VLAI
EPSS
VEX
Title
bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow
Summary
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b3 (python) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-08T23:27:25.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/08/17"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9669",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T12:23:25.378543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T12:23:44.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"bz2"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b3",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bitshift (https://github.com/TheShiftedBit)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Emma Smith (https://github.com/emmatyping)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data."
}
],
"value": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:59:27.712Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/150600"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/150599"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/157a5df8cb5d82b33f918a7489e72ce95ceb12b6"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/5755d0f083949ff3c5bf3a37e673e24e306b036e"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/619a12b2e545391dc436b3af79dda22337382a6f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/d3ca26983dfbccdf609f24ff5877dc3118e4702d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/938ec030e90c5e53f1faac6fab1643f14e4f4a79"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-9669",
"datePublished": "2026-06-08T22:01:15.420Z",
"dateReserved": "2026-05-27T03:13:18.152Z",
"dateUpdated": "2026-07-07T16:59:27.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7774 (GCVE-0-2026-7774)
Vulnerability from nvd – Published: 2026-06-04 14:21 – Updated: 2026-07-07 16:59
VLAI
EPSS
VEX
Title
tarfile.data_filter path traversal bypass allows writing outside the extraction directory
Summary
tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b2 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T17:27:23.917872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T17:27:34.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-04T18:45:41.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/04/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"tarfile"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b2",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ph\u00f9ng Si\u00eau \u0110\u1ea1t (OPSWAT Unit 515)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Gregory P. Smith (https://github.com/gpshead)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Petr Viktorin (https://github.com/encukou)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process."
}
],
"value": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:59:55.298Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/149487"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/149486"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/0478bd83d82b255e0f29f613367a59d261e7eaa2"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/0d28f5e46e151718972dfabd91205444d0037b6d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/578411982c16f753f4893532510099ef665117da"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/5cf47a248c35c375d610b87b2f72fd1ed454b558"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/74cca9a92fb7d653e404843a56b8bdc7b0afdbbf"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/10a13bee3c24f9c62b602e696334ff2272a40efc"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/c063191cb7f9170f9565e305f8aa2b79ab2bf609"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "tarfile.data_filter path traversal bypass allows writing outside the extraction directory",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-7774",
"datePublished": "2026-06-04T14:21:23.904Z",
"dateReserved": "2026-05-04T14:47:51.154Z",
"dateUpdated": "2026-07-07T16:59:55.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3276 (GCVE-0-2026-3276)
Vulnerability from nvd – Published: 2026-06-03 14:29 – Updated: 2026-06-16 14:54
VLAI
EPSS
VEX
Title
Potential DoS via quadratic complexity in unicodedata.normalize()
Summary
unicodedata.normalize() can take excessive CPU time when processing
specially crafted Unicode input containing long runs of combining characters
with alternating Canonical Combining Class values.
This affects all normalization forms.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b2 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T17:27:09.393265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T17:27:19.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-03T19:18:17.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/03/15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b2",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Seokchan Yoon (https://github.com/ch4n3-yoon)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Tim Peters (https://github.com/tim-one)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Petr Viktorin (https://github.com/encukou)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eunicodedata.normalize()\u003c/span\u003e can take excessive CPU time when processing\u003cbr\u003especially crafted Unicode input containing long runs of combining characters\u003cbr\u003ewith alternating Canonical Combining Class values.\u003cbr\u003eThis affects all normalization forms."
}
],
"value": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T14:54:50.442Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/149080"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/149079"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential DoS via quadratic complexity in unicodedata.normalize()",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-3276",
"datePublished": "2026-06-03T14:29:39.727Z",
"dateReserved": "2026-02-26T15:19:46.862Z",
"dateUpdated": "2026-06-16T14:54:50.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8328 (GCVE-0-2026-8328)
Vulnerability from nvd – Published: 2026-05-13 20:14 – Updated: 2026-06-30 15:09
VLAI
EPSS
VEX
Title
FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
Summary
The ftpcp() function in Lib/ftplib.py was not updated when
CVE-2021-4189 was fixed. While makepasv() was patched to replace
server-supplied PASV host addresses with the actual peer address
(getpeername()[0]), ftpcp() still calls parse227() directly and passes
the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side request forgery (SSRF)
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b2 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:49:18.311219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:49:39.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"ftplib"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b2",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Qi Deng (https://github.com/ikow)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Gregory P. Smith (https://github.com/gpshead)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "\u003cdiv\u003eThe ftpcp() function in Lib/ftplib.py was not updated when \nCVE-2021-4189 was fixed. While makepasv() was patched to replace \nserver-supplied PASV host addresses with the actual peer address \n(getpeername()[0]), ftpcp() still calls parse227() directly and passes \nthe raw attacker-controllable IP address and port to target.sendport(). This patch is related to\u0026nbsp;CVE-2021-4189.\u003c/div\u003e"
}
],
"value": "The ftpcp() function in Lib/ftplib.py was not updated when \nCVE-2021-4189 was fixed. While makepasv() was patched to replace \nserver-supplied PASV host addresses with the actual peer address \n(getpeername()[0]), ftpcp() still calls parse227() directly and passes \nthe raw attacker-controllable IP address and port to target.sendport(). This patch is related to\u00a0CVE-2021-4189."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side request forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:09:29.230Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/87451"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/149648"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/5dadc64673ce875ebfb24163907777dae0f6ca06"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/7d95a1dc7382b55cba7fdd6a110336077584a4f0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/bb3446dda6c49b32e67c11dbbbf221b40be00763"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/c88704431ea3248ca769384c13856330976fac1d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/2bbcf3fb7a420a05605576c0f9468d4675381b5f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ef12d0dc824baccf737bba1458e5eed3d1e0fceb"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-8328",
"datePublished": "2026-05-13T20:14:33.751Z",
"dateReserved": "2026-05-11T15:06:00.859Z",
"dateUpdated": "2026-06-30T15:09:29.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7210 (GCVE-0-2026-7210)
Vulnerability from nvd – Published: 2026-05-11 17:19 – Updated: 2026-06-10 18:57
VLAI
EPSS
VEX
Title
The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
Summary
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-331 - Insufficient entropy
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b2 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:53:57.884366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:54:12.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-11T20:34:17.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/11/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/11/13"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"xml",
"expat"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b2",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Gregory P. Smith (https://github.com/gpshead)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."
}
],
"value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:57:50.682Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/149023"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/149018"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-7210",
"datePublished": "2026-05-11T17:19:09.784Z",
"dateReserved": "2026-04-27T14:43:40.042Z",
"dateUpdated": "2026-06-10T18:57:50.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3087 (GCVE-0-2026-3087)
Vulnerability from nvd – Published: 2026-04-27 20:46 – Updated: 2026-06-10 18:04
VLAI
EPSS
VEX
Title
shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
Summary
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0a1 , < 3.14.5rc1 (python) Affected: 3.15.0a1 , < 3.15.0b1 (python) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-28T05:07:42.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T13:38:08.747185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:35:55.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"shutil"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.5rc1",
"status": "affected",
"version": "3.14.0a1",
"versionType": "python"
},
{
"lessThan": "3.15.0b1",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
},
{
"lang": "en",
"type": "reporter",
"value": "GGAutomaton (https://github.com/GGAutomaton)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."
}
],
"value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:04:43.260Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/146591"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/146581"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "shutil.unpack_archive() doesn\u0027t check for Windows absolute paths in ZIPs",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-3087",
"datePublished": "2026-04-27T20:46:43.201Z",
"dateReserved": "2026-02-23T23:14:46.433Z",
"dateUpdated": "2026-06-10T18:04:43.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6019 (GCVE-0-2026-6019)
Vulnerability from nvd – Published: 2026-04-22 19:28 – Updated: 2026-06-10 18:58
VLAI
EPSS
VEX
Title
BaseCookie.js_output() does not neutralize embedded characters
Summary
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-150 - Improper neutralization of escape, meta, or control sequences
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0a1 , < 3.14.5rc1 (python) Affected: 3.15.0a1 , < 3.15.0b1 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T20:02:17.071906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T20:02:34.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.5rc1",
"status": "affected",
"version": "3.14.0a1",
"versionType": "python"
},
{
"lessThan": "3.15.0b1",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "oolongeya (https://github.com/komi22)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003ehttp.cookies.Morsel.js_output()\u003c/code\u003e returns an inline \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e snippet and only escapes \u003ccode\u003e\"\u003c/code\u003e for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003ccode\u003e\u0026lt;/script\u0026gt;\u003c/code\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value."
}
],
"value": "http.cookies.Morsel.js_output() returns an inline \u003cscript\u003e snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003c/script\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper neutralization of escape, meta, or control sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:58:07.798Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/148848"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/90309"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "BaseCookie.js_output() does not neutralize embedded characters",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-6019",
"datePublished": "2026-04-22T19:28:08.720Z",
"dateReserved": "2026-04-09T15:35:00.668Z",
"dateUpdated": "2026-06-10T18:58:07.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3298 (GCVE-0-2026-3298)
Vulnerability from nvd – Published: 2026-04-21 14:45 – Updated: 2026-06-10 18:05
VLAI
EPSS
VEX
Title
Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes
Summary
The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds write
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
3.11.0 , < 3.13.14
(python)
Affected: 3.14.0a1 , < 3.14.5rc1 (python) Affected: 3.15.0a1 , < 3.15.0b1 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3298",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:15:36.206348Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:15:44.557Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "3.11.0",
"versionType": "python"
},
{
"lessThan": "3.14.5rc1",
"status": "affected",
"version": "3.14.0a1",
"versionType": "python"
},
{
"lessThan": "3.15.0b1",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "GGAutomaton (https://github.com/GGAutomaton)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Victor Stinner (https://github.com/vstinner)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."
}
],
"value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:05:02.868Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/148809"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/148808"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/KWTPIQBOOOUNQP7UFSLBI437NJDFLA3F/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/1274766d3c29007ab77245a72abbf8dce2a9db4d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/27522b7d6e6588f03e61099dd858cd5a9314e2f2"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/95633d2aad4721e25e4dfd9f43dfb6e1edcbd741"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-3298",
"datePublished": "2026-04-21T14:45:01.919Z",
"dateReserved": "2026-02-26T20:12:47.041Z",
"dateUpdated": "2026-06-10T18:05:02.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5713 (GCVE-0-2026-5713)
Vulnerability from nvd – Published: 2026-04-14 15:11 – Updated: 2026-06-10 18:58
VLAI
EPSS
VEX
Title
Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target
Summary
The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
3.14.0 , < 3.14.5
(python)
Affected: 3.15.0a1 , < 3.15.0b1 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:49:26.893551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:49:38.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-15T17:24:22.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/15/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.14.5",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b1",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Nicholas Gould (https://github.com/gouldnicholas)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pablo Galindo Salgado"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pablo Galindo Salgado"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR."
}
],
"value": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:58:12.898Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/148187"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/148178"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/OG4RHARYSNIE22GGOMVMCRH76L5HKPLM/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/289fd2c97a7e5aecb8b69f94f5e838ccfeee7e67"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/316f6265b7f9ca4ffed5346b747475ef1943f35d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-5713",
"datePublished": "2026-04-14T15:11:51.122Z",
"dateReserved": "2026-04-06T17:16:14.111Z",
"dateUpdated": "2026-06-10T18:58:12.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15308 (GCVE-0-2026-15308)
Vulnerability from cvelistv5 – Published: 2026-07-09 17:10 – Updated: 2026-07-09 19:32
VLAI
EPSS
VEX
Title
Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
Summary
The incremental HTML parser (html.parser.HTMLParser) allows for CPU
denial-of-service through repeated unterminated markup declarations when
processing uncontrolled data.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:31:19.781935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:31:27.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-07-09T19:32:36.790Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/09/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"html.parser",
"html"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Edward-x (https://github.com/YLChen-007)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Gregory P. Smith (https://github.com/gpshead)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The incremental HTML parser (html.parser.HTMLParser) allows for CPU\ndenial-of-service through repeated unterminated markup declarations when\nprocessing uncontrolled data."
}
],
"value": "The incremental HTML parser (html.parser.HTMLParser) allows for CPU\ndenial-of-service through repeated unterminated markup declarations when\nprocessing uncontrolled data."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T19:00:03.303Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F6453LWKSHKCTWFLCOURWPLETNUIW2Z5/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/153031"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/153030"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/07efb08123ba9367a7107325adb9d5626dca1ca9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/7933f4bf7131aa4140750f9404f5de0aa2969ced"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/bcf98ddbc40ec9b3ee87da0124a5660b19b7e606"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/e9f92ac0b298292e7ff998e52cb8ccacfb27a0bd"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-15308",
"datePublished": "2026-07-09T17:10:57.317Z",
"dateReserved": "2026-07-09T17:04:11.926Z",
"dateUpdated": "2026-07-09T19:32:36.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4360 (GCVE-0-2026-4360)
Vulnerability from cvelistv5 – Published: 2026-06-30 14:45 – Updated: 2026-07-07 17:01
VLAI
EPSS
VEX
Title
Tarfile.extract() doesn't fully respect filter parameter
Summary
In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4360",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T15:28:24.835246Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:28:30.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"tarfile"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Michael Scovetta (https://github.com/scovetta)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Petr Viktorin (https://github.com/encukou)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter=\u0027data\u0027 to the extract() function."
}
],
"value": "In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter=\u0027data\u0027 to the extract() function."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T17:01:15.080Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/TWZW2PC2AZOV6FENIHFSRC63OM7MBGSB/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/151988"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/151987"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/5e0ef3f1afe892e4f64eb83368db57ac4c40cba0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/7b57e8d51446297b8c7c482d224bc5f1938e4301"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/7ccdbaba2c54250a70d7f25632152df7655a5e0a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/eee3ddf0ca10283cc7fea724aae9cd8665f8d15e"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/d2b2f5eacab4dd48446b63340613b05dcbbf0b44"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Tarfile.extract() doesn\u0027t fully respect filter parameter",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-4360",
"datePublished": "2026-06-30T14:45:35.601Z",
"dateReserved": "2026-03-17T19:25:46.527Z",
"dateUpdated": "2026-07-07T17:01:15.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11972 (GCVE-0-2026-11972)
Vulnerability from cvelistv5 – Published: 2026-06-23 22:02 – Updated: 2026-06-30 15:13
VLAI
EPSS
VEX
Title
tarfile opened in streaming mode mishandles EOF
Summary
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T15:33:49.665045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:34:06.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"tarfile"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ryan Hileman (https://github.com/lunixbochs)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Petr Viktorin (https://github.com/encukou)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "When using the \"tarfile\" module with a file opened in \"streaming mode\" (mode=\"r|\") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer."
}
],
"value": "When using the \"tarfile\" module with a file opened in \"streaming mode\" (mode=\"r|\") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-252",
"description": "CWE-252",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-606",
"description": "CWE-606",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-770",
"description": "CWE-770",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:13:21.383Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/151981"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/151982"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AXPSKKTSRKXTTJULW3XSIC74WZNAAPPB/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/3f031d431f80668e14f3bc066bbf4369cd9281b9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/4ce6bf7c8aa7725828a38981c306f214c1f29365"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/7f0dc59c9a70f8f3b4da33d7c4a2ba552a7acc21"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/e86666c9dd256d52d0fbef6feb1ea4a51768fdec"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/eb63c0f94dfcbea7fda8eab6213818e134d67192"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "tarfile opened in streaming mode mishandles EOF",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-11972",
"datePublished": "2026-06-23T22:02:45.434Z",
"dateReserved": "2026-06-11T11:35:05.520Z",
"dateUpdated": "2026-06-30T15:13:21.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0864 (GCVE-0-2026-0864)
Vulnerability from cvelistv5 – Published: 2026-06-23 17:42 – Updated: 2026-06-24 12:55
VLAI
EPSS
VEX
Title
Configuration Injection via Carriage Return (\r) in write() method
Summary
When using the "configparser" module to write configuration files
containing multi-line text values with carriage return characters (\r) the
resulting file could be injected with unexpected keys and values if the
attacker controls the written value.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T18:34:23.504725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T18:34:49.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "D0n9 (https://github.com/D0n9)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Petr Viktorin (https://github.com/encukou)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "When using the \"configparser\" module to write configuration files\ncontaining multi-line text values with carriage return characters (\\r) the\nresulting file could be injected with unexpected keys and values if the\nattacker controls the written value."
}
],
"value": "When using the \"configparser\" module to write configuration files\ncontaining multi-line text values with carriage return characters (\\r) the\nresulting file could be injected with unexpected keys and values if the\nattacker controls the written value."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T12:55:42.471Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/151559"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/143927"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/0adb386f6e68eb2e73d32e19f235d012df009528"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/71f2e02a52d47417a6fd69f456346cd8aa7aca98"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/aaf850fd333cd89e9aada03d92aaa788a6cb1bb8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Configuration Injection via Carriage Return (\\r) in write() method",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-0864",
"datePublished": "2026-06-23T17:42:01.947Z",
"dateReserved": "2026-01-12T16:07:55.453Z",
"dateUpdated": "2026-06-24T12:55:42.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11940 (GCVE-0-2026-11940)
Vulnerability from cvelistv5 – Published: 2026-06-23 16:04 – Updated: 2026-06-30 15:13
VLAI
EPSS
VEX
Title
tarfile extraction filter bypass allows escaping the destination directory
Summary
tarfile.extractall() with the 'data' or 'tar'
filter could be bypassed by a crafted archive where a hardlink
references a symlink stored at a deeper name than the hardlink itself.
The extraction fallback validated the symlink at it's archived location
but recreated it at the hardlink's shallower
path, letting a relative
target the filter judged contained escape the destination directory.
This allowed a malicious tar archive to create a symlink pointing
outside the destination, enabling out-of-destination file reads or
writes. This was an incomplete fix of CVE-2025-4330.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T17:57:25.652265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T17:57:32.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Haruki Oyama (https://github.com/harukioya)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Petr Viktorin (https://github.com/encukou)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "\u003cspan\u003etarfile.extractall()\u003c/span\u003e with the \u003cspan\u003e\u0027data\u0027\u003c/span\u003e or \u003cspan\u003e\u0027tar\u0027\u003c/span\u003e\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u0026nbsp; \nThe extraction fallback validated the symlink at it\u0027s archived location \nbut recreated it at the hardlink\u0027s shallower\u003cbr\u003epath, letting a relative\n target the filter judged contained escape the destination directory.\u0026nbsp; \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330."
}
],
"value": "tarfile.extractall() with the \u0027data\u0027 or \u0027tar\u0027\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u00a0 \nThe extraction fallback validated the symlink at it\u0027s archived location \nbut recreated it at the hardlink\u0027s shallower\npath, letting a relative\n target the filter judged contained escape the destination directory.\u00a0 \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:13:33.568Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/151559"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/LD6QIISNQFQYOIEPJNEUIPV7S3V76FZH/"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/151558"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/672825e2f36a57e173959b0d9d409d4560dab8df"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/771d12dda5140313db0ac550292987975651bbde"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/79c06bd5c6afa3c440d50faf7ee1b147c8832b4c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/be13e86f6b9788a6f4d0419dffef72cbae5865c9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "tarfile extraction filter bypass allows escaping the destination directory",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-11940",
"datePublished": "2026-06-23T16:04:17.321Z",
"dateReserved": "2026-06-10T19:50:59.923Z",
"dateUpdated": "2026-06-30T15:13:33.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12003 (GCVE-0-2026-12003)
Vulnerability from cvelistv5 – Published: 2026-06-16 15:18 – Updated: 2026-06-23 17:55
VLAI
EPSS
VEX
Title
CPython >3.11 Insecure Input Validation resulting in privilege escalation
Summary
To allow builds of Python to be run from an in-tree layout (rather than
an installed file layout), the VPATH variable is defined at build time
and used to locate certain landmarks - specifically,
Modules/setup.local. When this landmark is found relative to VPATH
relative to the executable, Python assumes it is running in a source
tree and generates a different default sys.path. This code remains in
release builds, so that release-ready builds can be built in-tree.
On Windows, since builds are written to 'PCbuild/', the value of
VPATH is set to '..\..', which results in a landmark of
'..\..\Modules\setup.local'. This path is outside the install directory
of Python, and may have different permissions, potentially allowing a
low-privilege user to create the landmark and an alternative `Lib`
folder that will be discovered by an otherwise restricted install.
Such a setup occurs with the legacy default install location for all
users (in the now superseded EXE installer), due to how Windows allows
all users to create folders in the root directory of their OS drive.
Our recommended mitigation on Windows is to migrate away from the
legacy installer and use the new [Python install
manager](https://www.python.org/downloads/latest/pymanager/) to install
for the current user. Installs where the directory two levels above the
Python installation directory have equivalent permissions are unaffected
(in general, a per-user install cannot be modified at all by other
users, removing any escalation of privilege risk, and could be directly
modified by a privileged user, making the potential tampering
irrelevant). Alternative mitigations might include preemptively creating
and restricting access to a `Modules` directory. Be aware that only 3.13
and 3.14 will receive updated legacy installers - earlier fixes are only
provided as sources.
Platforms other than Windows allow VPATH to be overridden, but as they
don't usually use a separated directory in the build for binaries, are
unlikely to have a landmark reference outside of the install directory.
The landmark detection involving VPATH is a fallback for when a more
specific landmark - .\pybuilddir.txt - is absent, and was included for
compatibility. Future releases of Python will no longer include the
fallback, and so builds will need to generate or preserve the
pybuilddir.txt file in order to work in-tree. This landmark file has
been generated on Windows since 3.11, and on other platforms for longer.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0b3
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T17:53:54.916961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T17:56:25.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-16T19:12:36.706Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/16/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0b3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jake Yamaki (https://github.com/b6938236)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Steve Dower (https://github.com/zooba)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "To allow builds of Python to be run from an in-tree layout (rather than\u003cbr\u003ean installed file layout), the VPATH variable is defined at build time\u003cbr\u003eand used to locate certain landmarks - specifically,\u003cbr\u003eModules/setup.local. When this landmark is found relative to VPATH\u003cbr\u003erelative to the executable, Python assumes it is running in a source\u003cbr\u003etree and generates a different default sys.path. This code remains in\u003cbr\u003erelease builds, so that release-ready builds can be built in-tree.\u003cbr\u003e\u003cbr\u003eOn Windows, since builds are written to \u0027PCbuild/\u0027, the value of\u003cbr\u003eVPATH is set to \u0027..\\..\u0027, which results in a landmark of\u003cbr\u003e\u0027..\\..\\Modules\\setup.local\u0027. This path is outside the install directory\u003cbr\u003eof Python, and may have different permissions, potentially allowing a\u003cbr\u003elow-privilege user to create the landmark and an alternative `Lib`\u003cbr\u003efolder that will be discovered by an otherwise restricted install.\u003cbr\u003e\u003cbr\u003eSuch a setup occurs with the legacy default install location for all\u003cbr\u003eusers (in the now superseded EXE installer), due to how Windows allows\u003cbr\u003eall users to create folders in the root directory of their OS drive.\u003cbr\u003e\u003cbr\u003eOur recommended mitigation on Windows is to migrate away from the\u003cbr\u003elegacy installer and use the new [Python install\u003cbr\u003emanager](https://www.python.org/downloads/latest/pymanager/) to install\u003cbr\u003efor the current user. Installs where the directory two levels above the\u003cbr\u003ePython installation directory have equivalent permissions are unaffected\u003cbr\u003e(in general, a per-user install cannot be modified at all by other\u003cbr\u003eusers, removing any escalation of privilege risk, and could be directly\u003cbr\u003emodified by a privileged user, making the potential tampering\u003cbr\u003eirrelevant). Alternative mitigations might include preemptively creating\u003cbr\u003eand restricting access to a `Modules` directory. Be aware that only 3.13\u003cbr\u003eand 3.14 will receive updated legacy installers - earlier fixes are only\u003cbr\u003eprovided as sources.\u003cbr\u003e\u003cbr\u003ePlatforms other than Windows allow VPATH to be overridden, but as they\u003cbr\u003edon\u0027t usually use a separated directory in the build for binaries, are\u003cbr\u003eunlikely to have a landmark reference outside of the install directory.\u003cbr\u003e\u003cbr\u003eThe landmark detection involving VPATH is a fallback for when a more\u003cbr\u003especific landmark - .\\pybuilddir.txt - is absent, and was included for\u003cbr\u003ecompatibility. Future releases of Python will no longer include the\u003cbr\u003efallback, and so builds will need to generate or preserve the\u003cbr\u003epybuilddir.txt file in order to work in-tree. This landmark file has\u003cbr\u003ebeen generated on Windows since 3.11, and on other platforms for longer."
}
],
"value": "To allow builds of Python to be run from an in-tree layout (rather than\nan installed file layout), the VPATH variable is defined at build time\nand used to locate certain landmarks - specifically,\nModules/setup.local. When this landmark is found relative to VPATH\nrelative to the executable, Python assumes it is running in a source\ntree and generates a different default sys.path. This code remains in\nrelease builds, so that release-ready builds can be built in-tree.\n\nOn Windows, since builds are written to \u0027PCbuild/\u0027, the value of\nVPATH is set to \u0027..\\..\u0027, which results in a landmark of\n\u0027..\\..\\Modules\\setup.local\u0027. This path is outside the install directory\nof Python, and may have different permissions, potentially allowing a\nlow-privilege user to create the landmark and an alternative `Lib`\nfolder that will be discovered by an otherwise restricted install.\n\nSuch a setup occurs with the legacy default install location for all\nusers (in the now superseded EXE installer), due to how Windows allows\nall users to create folders in the root directory of their OS drive.\n\nOur recommended mitigation on Windows is to migrate away from the\nlegacy installer and use the new [Python install\nmanager](https://www.python.org/downloads/latest/pymanager/) to install\nfor the current user. Installs where the directory two levels above the\nPython installation directory have equivalent permissions are unaffected\n(in general, a per-user install cannot be modified at all by other\nusers, removing any escalation of privilege risk, and could be directly\nmodified by a privileged user, making the potential tampering\nirrelevant). Alternative mitigations might include preemptively creating\nand restricting access to a `Modules` directory. Be aware that only 3.13\nand 3.14 will receive updated legacy installers - earlier fixes are only\nprovided as sources.\n\nPlatforms other than Windows allow VPATH to be overridden, but as they\ndon\u0027t usually use a separated directory in the build for binaries, are\nunlikely to have a landmark reference outside of the install directory.\n\nThe landmark detection involving VPATH is a fallback for when a more\nspecific landmark - .\\pybuilddir.txt - is absent, and was included for\ncompatibility. Future releases of Python will no longer include the\nfallback, and so builds will need to generate or preserve the\npybuilddir.txt file in order to work in-tree. This landmark file has\nbeen generated on Windows since 3.11, and on other platforms for longer."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T17:55:53.735Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/151545"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/151544"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://https://mail.python.org/archives/list/security-announce@python.org/thread/JIFOBO7UX3LY4VJKJUOKYJV62CFR2IRH/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/16c40f944b7bff724a403cf4902763d095bb4b2a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/9e863fab283eddca9c2a8f9d1ee30f4dc243e314"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/a86de0bc236fbb9452f98998fc8437e9fca35700"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/b93d6d3399adbd3a5037b6b92fc3587c85ac5d56"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CPython \u003e3.11 Insecure Input Validation resulting in privilege escalation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-12003",
"datePublished": "2026-06-16T15:18:42.998Z",
"dateReserved": "2026-06-11T17:05:37.519Z",
"dateUpdated": "2026-06-23T17:55:53.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9669 (GCVE-0-2026-9669)
Vulnerability from cvelistv5 – Published: 2026-06-08 22:01 – Updated: 2026-07-07 16:59
VLAI
EPSS
VEX
Title
bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow
Summary
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b3 (python) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-08T23:27:25.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/08/17"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9669",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T12:23:25.378543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T12:23:44.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"bz2"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b3",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bitshift (https://github.com/TheShiftedBit)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Emma Smith (https://github.com/emmatyping)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data."
}
],
"value": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:59:27.712Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/150600"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/150599"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/157a5df8cb5d82b33f918a7489e72ce95ceb12b6"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/5755d0f083949ff3c5bf3a37e673e24e306b036e"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/619a12b2e545391dc436b3af79dda22337382a6f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/d3ca26983dfbccdf609f24ff5877dc3118e4702d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/938ec030e90c5e53f1faac6fab1643f14e4f4a79"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-9669",
"datePublished": "2026-06-08T22:01:15.420Z",
"dateReserved": "2026-05-27T03:13:18.152Z",
"dateUpdated": "2026-07-07T16:59:27.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7774 (GCVE-0-2026-7774)
Vulnerability from cvelistv5 – Published: 2026-06-04 14:21 – Updated: 2026-07-07 16:59
VLAI
EPSS
VEX
Title
tarfile.data_filter path traversal bypass allows writing outside the extraction directory
Summary
tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b2 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T17:27:23.917872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T17:27:34.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-04T18:45:41.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/04/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"tarfile"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b2",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ph\u00f9ng Si\u00eau \u0110\u1ea1t (OPSWAT Unit 515)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Gregory P. Smith (https://github.com/gpshead)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Petr Viktorin (https://github.com/encukou)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process."
}
],
"value": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:59:55.298Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/149487"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/149486"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/0478bd83d82b255e0f29f613367a59d261e7eaa2"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/0d28f5e46e151718972dfabd91205444d0037b6d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/578411982c16f753f4893532510099ef665117da"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/5cf47a248c35c375d610b87b2f72fd1ed454b558"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/74cca9a92fb7d653e404843a56b8bdc7b0afdbbf"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/10a13bee3c24f9c62b602e696334ff2272a40efc"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/c063191cb7f9170f9565e305f8aa2b79ab2bf609"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "tarfile.data_filter path traversal bypass allows writing outside the extraction directory",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-7774",
"datePublished": "2026-06-04T14:21:23.904Z",
"dateReserved": "2026-05-04T14:47:51.154Z",
"dateUpdated": "2026-07-07T16:59:55.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3276 (GCVE-0-2026-3276)
Vulnerability from cvelistv5 – Published: 2026-06-03 14:29 – Updated: 2026-06-16 14:54
VLAI
EPSS
VEX
Title
Potential DoS via quadratic complexity in unicodedata.normalize()
Summary
unicodedata.normalize() can take excessive CPU time when processing
specially crafted Unicode input containing long runs of combining characters
with alternating Canonical Combining Class values.
This affects all normalization forms.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b2 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T17:27:09.393265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T17:27:19.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-03T19:18:17.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/03/15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b2",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Seokchan Yoon (https://github.com/ch4n3-yoon)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Tim Peters (https://github.com/tim-one)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Petr Viktorin (https://github.com/encukou)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eunicodedata.normalize()\u003c/span\u003e can take excessive CPU time when processing\u003cbr\u003especially crafted Unicode input containing long runs of combining characters\u003cbr\u003ewith alternating Canonical Combining Class values.\u003cbr\u003eThis affects all normalization forms."
}
],
"value": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T14:54:50.442Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/149080"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/149079"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential DoS via quadratic complexity in unicodedata.normalize()",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-3276",
"datePublished": "2026-06-03T14:29:39.727Z",
"dateReserved": "2026-02-26T15:19:46.862Z",
"dateUpdated": "2026-06-16T14:54:50.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8328 (GCVE-0-2026-8328)
Vulnerability from cvelistv5 – Published: 2026-05-13 20:14 – Updated: 2026-06-30 15:09
VLAI
EPSS
VEX
Title
FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
Summary
The ftpcp() function in Lib/ftplib.py was not updated when
CVE-2021-4189 was fixed. While makepasv() was patched to replace
server-supplied PASV host addresses with the actual peer address
(getpeername()[0]), ftpcp() still calls parse227() directly and passes
the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side request forgery (SSRF)
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b2 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:49:18.311219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:49:39.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"ftplib"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b2",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Qi Deng (https://github.com/ikow)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Gregory P. Smith (https://github.com/gpshead)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "\u003cdiv\u003eThe ftpcp() function in Lib/ftplib.py was not updated when \nCVE-2021-4189 was fixed. While makepasv() was patched to replace \nserver-supplied PASV host addresses with the actual peer address \n(getpeername()[0]), ftpcp() still calls parse227() directly and passes \nthe raw attacker-controllable IP address and port to target.sendport(). This patch is related to\u0026nbsp;CVE-2021-4189.\u003c/div\u003e"
}
],
"value": "The ftpcp() function in Lib/ftplib.py was not updated when \nCVE-2021-4189 was fixed. While makepasv() was patched to replace \nserver-supplied PASV host addresses with the actual peer address \n(getpeername()[0]), ftpcp() still calls parse227() directly and passes \nthe raw attacker-controllable IP address and port to target.sendport(). This patch is related to\u00a0CVE-2021-4189."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side request forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:09:29.230Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/87451"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/149648"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/5dadc64673ce875ebfb24163907777dae0f6ca06"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/7d95a1dc7382b55cba7fdd6a110336077584a4f0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/bb3446dda6c49b32e67c11dbbbf221b40be00763"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/c88704431ea3248ca769384c13856330976fac1d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/2bbcf3fb7a420a05605576c0f9468d4675381b5f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ef12d0dc824baccf737bba1458e5eed3d1e0fceb"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-8328",
"datePublished": "2026-05-13T20:14:33.751Z",
"dateReserved": "2026-05-11T15:06:00.859Z",
"dateUpdated": "2026-06-30T15:09:29.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7210 (GCVE-0-2026-7210)
Vulnerability from cvelistv5 – Published: 2026-05-11 17:19 – Updated: 2026-06-10 18:57
VLAI
EPSS
VEX
Title
The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
Summary
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-331 - Insufficient entropy
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b2 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:53:57.884366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:54:12.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-11T20:34:17.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/11/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/11/13"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"xml",
"expat"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b2",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Gregory P. Smith (https://github.com/gpshead)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."
}
],
"value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:57:50.682Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/149023"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/149018"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-7210",
"datePublished": "2026-05-11T17:19:09.784Z",
"dateReserved": "2026-04-27T14:43:40.042Z",
"dateUpdated": "2026-06-10T18:57:50.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3087 (GCVE-0-2026-3087)
Vulnerability from cvelistv5 – Published: 2026-04-27 20:46 – Updated: 2026-06-10 18:04
VLAI
EPSS
VEX
Title
shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
Summary
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0a1 , < 3.14.5rc1 (python) Affected: 3.15.0a1 , < 3.15.0b1 (python) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-28T05:07:42.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T13:38:08.747185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:35:55.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"shutil"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.5rc1",
"status": "affected",
"version": "3.14.0a1",
"versionType": "python"
},
{
"lessThan": "3.15.0b1",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
},
{
"lang": "en",
"type": "reporter",
"value": "GGAutomaton (https://github.com/GGAutomaton)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."
}
],
"value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:04:43.260Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/146591"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/146581"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "shutil.unpack_archive() doesn\u0027t check for Windows absolute paths in ZIPs",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-3087",
"datePublished": "2026-04-27T20:46:43.201Z",
"dateReserved": "2026-02-23T23:14:46.433Z",
"dateUpdated": "2026-06-10T18:04:43.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6019 (GCVE-0-2026-6019)
Vulnerability from cvelistv5 – Published: 2026-04-22 19:28 – Updated: 2026-06-10 18:58
VLAI
EPSS
VEX
Title
BaseCookie.js_output() does not neutralize embedded characters
Summary
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-150 - Improper neutralization of escape, meta, or control sequences
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0a1 , < 3.14.5rc1 (python) Affected: 3.15.0a1 , < 3.15.0b1 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T20:02:17.071906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T20:02:34.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.5rc1",
"status": "affected",
"version": "3.14.0a1",
"versionType": "python"
},
{
"lessThan": "3.15.0b1",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "oolongeya (https://github.com/komi22)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003ehttp.cookies.Morsel.js_output()\u003c/code\u003e returns an inline \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e snippet and only escapes \u003ccode\u003e\"\u003c/code\u003e for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003ccode\u003e\u0026lt;/script\u0026gt;\u003c/code\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value."
}
],
"value": "http.cookies.Morsel.js_output() returns an inline \u003cscript\u003e snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003c/script\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper neutralization of escape, meta, or control sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:58:07.798Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/148848"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/90309"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "BaseCookie.js_output() does not neutralize embedded characters",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-6019",
"datePublished": "2026-04-22T19:28:08.720Z",
"dateReserved": "2026-04-09T15:35:00.668Z",
"dateUpdated": "2026-06-10T18:58:07.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3298 (GCVE-0-2026-3298)
Vulnerability from cvelistv5 – Published: 2026-04-21 14:45 – Updated: 2026-06-10 18:05
VLAI
EPSS
VEX
Title
Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes
Summary
The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds write
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
3.11.0 , < 3.13.14
(python)
Affected: 3.14.0a1 , < 3.14.5rc1 (python) Affected: 3.15.0a1 , < 3.15.0b1 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3298",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:15:36.206348Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:15:44.557Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "3.11.0",
"versionType": "python"
},
{
"lessThan": "3.14.5rc1",
"status": "affected",
"version": "3.14.0a1",
"versionType": "python"
},
{
"lessThan": "3.15.0b1",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "GGAutomaton (https://github.com/GGAutomaton)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Victor Stinner (https://github.com/vstinner)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."
}
],
"value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:05:02.868Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/148809"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/148808"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/KWTPIQBOOOUNQP7UFSLBI437NJDFLA3F/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/1274766d3c29007ab77245a72abbf8dce2a9db4d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/27522b7d6e6588f03e61099dd858cd5a9314e2f2"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/95633d2aad4721e25e4dfd9f43dfb6e1edcbd741"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-3298",
"datePublished": "2026-04-21T14:45:01.919Z",
"dateReserved": "2026-02-26T20:12:47.041Z",
"dateUpdated": "2026-06-10T18:05:02.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5713 (GCVE-0-2026-5713)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:11 – Updated: 2026-06-10 18:58
VLAI
EPSS
VEX
Title
Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target
Summary
The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
3.14.0 , < 3.14.5
(python)
Affected: 3.15.0a1 , < 3.15.0b1 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:49:26.893551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:49:38.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-15T17:24:22.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/15/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.14.5",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b1",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Nicholas Gould (https://github.com/gouldnicholas)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pablo Galindo Salgado"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pablo Galindo Salgado"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR."
}
],
"value": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:58:12.898Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/148187"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/148178"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/OG4RHARYSNIE22GGOMVMCRH76L5HKPLM/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/289fd2c97a7e5aecb8b69f94f5e838ccfeee7e67"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/316f6265b7f9ca4ffed5346b747475ef1943f35d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-5713",
"datePublished": "2026-04-14T15:11:51.122Z",
"dateReserved": "2026-04-06T17:16:14.111Z",
"dateUpdated": "2026-06-10T18:58:12.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}