Search

Find a vulnerability

Search criteria

    128 vulnerabilities found for CPython by Python Software Foundation

    CVE-2026-15308 (GCVE-0-2026-15308)

    Vulnerability from nvd – Published: 2026-07-09 17:10 – Updated: 2026-07-09 19:32
    VLAI
    Title
    Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
    Summary
    The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
    Create a notification for this product.
    Credits
    Edward-x (https://github.com/YLChen-007) Serhiy Storchaka (https://github.com/serhiy-storchaka) Gregory P. Smith (https://github.com/gpshead) Seth Larson (https://github.com/sethmlarson)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15308",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:31:19.781935Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:31:27.360Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-09T19:32:36.790Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/09/4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "html.parser",
                "html"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Edward-x (https://github.com/YLChen-007)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Gregory P. Smith (https://github.com/gpshead)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The incremental HTML parser (html.parser.HTMLParser) allows for CPU\ndenial-of-service through repeated unterminated markup declarations when\nprocessing uncontrolled data."
                }
              ],
              "value": "The incremental HTML parser (html.parser.HTMLParser) allows for CPU\ndenial-of-service through repeated unterminated markup declarations when\nprocessing uncontrolled data."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T19:00:03.303Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F6453LWKSHKCTWFLCOURWPLETNUIW2Z5/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/153031"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/153030"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/07efb08123ba9367a7107325adb9d5626dca1ca9"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/7933f4bf7131aa4140750f9404f5de0aa2969ced"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/bcf98ddbc40ec9b3ee87da0124a5660b19b7e606"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/e9f92ac0b298292e7ff998e52cb8ccacfb27a0bd"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-15308",
        "datePublished": "2026-07-09T17:10:57.317Z",
        "dateReserved": "2026-07-09T17:04:11.926Z",
        "dateUpdated": "2026-07-09T19:32:36.790Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4360 (GCVE-0-2026-4360)

    Vulnerability from nvd – Published: 2026-06-30 14:45 – Updated: 2026-07-07 17:01
    VLAI
    Title
    Tarfile.extract() doesn't fully respect filter parameter
    Summary
    In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
    Create a notification for this product.
    Credits
    Michael Scovetta (https://github.com/scovetta) Seth Larson (https://github.com/sethmlarson) Petr Viktorin (https://github.com/encukou)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4360",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-30T15:28:24.835246Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T15:28:30.201Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "tarfile"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Michael Scovetta (https://github.com/scovetta)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Petr Viktorin (https://github.com/encukou)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter=\u0027data\u0027 to the extract() function."
                }
              ],
              "value": "In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter=\u0027data\u0027 to the extract() function."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-281",
                  "description": "CWE-281",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T17:01:15.080Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/TWZW2PC2AZOV6FENIHFSRC63OM7MBGSB/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/151988"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/151987"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/5e0ef3f1afe892e4f64eb83368db57ac4c40cba0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/7b57e8d51446297b8c7c482d224bc5f1938e4301"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/7ccdbaba2c54250a70d7f25632152df7655a5e0a"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/eee3ddf0ca10283cc7fea724aae9cd8665f8d15e"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/d2b2f5eacab4dd48446b63340613b05dcbbf0b44"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Tarfile.extract() doesn\u0027t fully respect filter parameter",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-4360",
        "datePublished": "2026-06-30T14:45:35.601Z",
        "dateReserved": "2026-03-17T19:25:46.527Z",
        "dateUpdated": "2026-07-07T17:01:15.080Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11972 (GCVE-0-2026-11972)

    Vulnerability from nvd – Published: 2026-06-23 22:02 – Updated: 2026-06-30 15:13
    VLAI
    Title
    tarfile opened in streaming mode mishandles EOF
    Summary
    When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
    Create a notification for this product.
    Credits
    Ryan Hileman (https://github.com/lunixbochs) Petr Viktorin (https://github.com/encukou) Stan Ulbrych (https://github.com/StanFromIreland)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11972",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:33:49.665045Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:34:06.959Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "tarfile"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ryan Hileman (https://github.com/lunixbochs)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Petr Viktorin (https://github.com/encukou)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "When using the \"tarfile\" module with a file opened in \"streaming mode\" (mode=\"r|\") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer."
                }
              ],
              "value": "When using the \"tarfile\" module with a file opened in \"streaming mode\" (mode=\"r|\") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-252",
                  "description": "CWE-252",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-606",
                  "description": "CWE-606",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T15:13:21.383Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/151981"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/151982"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AXPSKKTSRKXTTJULW3XSIC74WZNAAPPB/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/3f031d431f80668e14f3bc066bbf4369cd9281b9"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/4ce6bf7c8aa7725828a38981c306f214c1f29365"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/7f0dc59c9a70f8f3b4da33d7c4a2ba552a7acc21"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/e86666c9dd256d52d0fbef6feb1ea4a51768fdec"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/eb63c0f94dfcbea7fda8eab6213818e134d67192"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "tarfile opened in streaming mode mishandles EOF",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-11972",
        "datePublished": "2026-06-23T22:02:45.434Z",
        "dateReserved": "2026-06-11T11:35:05.520Z",
        "dateUpdated": "2026-06-30T15:13:21.383Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0864 (GCVE-0-2026-0864)

    Vulnerability from nvd – Published: 2026-06-23 17:42 – Updated: 2026-06-24 12:55
    VLAI
    Title
    Configuration Injection via Carriage Return (\r) in write() method
    Summary
    When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
    Create a notification for this product.
    Credits
    D0n9 (https://github.com/D0n9) Petr Viktorin (https://github.com/encukou) Seth Larson (https://github.com/sethmlarson)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0864",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T18:34:23.504725Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-74",
                    "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T18:34:49.788Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "D0n9 (https://github.com/D0n9)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Petr Viktorin (https://github.com/encukou)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "When using the \"configparser\" module to write configuration files\ncontaining multi-line text values with carriage return characters (\\r) the\nresulting file could be injected with unexpected keys and values if the\nattacker controls the written value."
                }
              ],
              "value": "When using the \"configparser\" module to write configuration files\ncontaining multi-line text values with carriage return characters (\\r) the\nresulting file could be injected with unexpected keys and values if the\nattacker controls the written value."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 4.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T12:55:42.471Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/151559"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/143927"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/0adb386f6e68eb2e73d32e19f235d012df009528"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/71f2e02a52d47417a6fd69f456346cd8aa7aca98"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/aaf850fd333cd89e9aada03d92aaa788a6cb1bb8"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Configuration Injection via Carriage Return (\\r) in write() method",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-0864",
        "datePublished": "2026-06-23T17:42:01.947Z",
        "dateReserved": "2026-01-12T16:07:55.453Z",
        "dateUpdated": "2026-06-24T12:55:42.471Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11940 (GCVE-0-2026-11940)

    Vulnerability from nvd – Published: 2026-06-23 16:04 – Updated: 2026-06-30 15:13
    VLAI
    Title
    tarfile extraction filter bypass allows escaping the destination directory
    Summary
    tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself.  The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower path, letting a relative target the filter judged contained escape the destination directory.  This allowed a malicious tar archive to create a symlink pointing outside the destination, enabling out-of-destination file reads or writes. This was an incomplete fix of CVE-2025-4330.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
    Create a notification for this product.
    Credits
    Haruki Oyama (https://github.com/harukioya) Stan Ulbrych (https://github.com/StanFromIreland) Petr Viktorin (https://github.com/encukou)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11940",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T17:57:25.652265Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T17:57:32.525Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Haruki Oyama (https://github.com/harukioya)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Petr Viktorin (https://github.com/encukou)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "\u003cspan\u003etarfile.extractall()\u003c/span\u003e with the \u003cspan\u003e\u0027data\u0027\u003c/span\u003e or \u003cspan\u003e\u0027tar\u0027\u003c/span\u003e\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u0026nbsp; \nThe extraction fallback validated the symlink at it\u0027s archived location \nbut recreated it at the hardlink\u0027s shallower\u003cbr\u003epath, letting a relative\n target the filter judged contained escape the destination directory.\u0026nbsp; \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330."
                }
              ],
              "value": "tarfile.extractall() with the \u0027data\u0027 or \u0027tar\u0027\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u00a0 \nThe extraction fallback validated the symlink at it\u0027s archived location \nbut recreated it at the hardlink\u0027s shallower\npath, letting a relative\n target the filter judged contained escape the destination directory.\u00a0 \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T15:13:33.568Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/151559"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/LD6QIISNQFQYOIEPJNEUIPV7S3V76FZH/"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/151558"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/672825e2f36a57e173959b0d9d409d4560dab8df"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/771d12dda5140313db0ac550292987975651bbde"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/79c06bd5c6afa3c440d50faf7ee1b147c8832b4c"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/be13e86f6b9788a6f4d0419dffef72cbae5865c9"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "tarfile extraction filter bypass allows escaping the destination directory",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-11940",
        "datePublished": "2026-06-23T16:04:17.321Z",
        "dateReserved": "2026-06-10T19:50:59.923Z",
        "dateUpdated": "2026-06-30T15:13:33.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12003 (GCVE-0-2026-12003)

    Vulnerability from nvd – Published: 2026-06-16 15:18 – Updated: 2026-06-23 17:55
    VLAI
    Title
    CPython >3.11 Insecure Input Validation resulting in privilege escalation
    Summary
    To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '..\..', which results in a landmark of '..\..\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0b3 (python)
    Create a notification for this product.
    Credits
    Jake Yamaki (https://github.com/b6938236) Steve Dower (https://github.com/zooba)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12003",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-16T17:53:54.916961Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-16T17:56:25.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-16T19:12:36.706Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/16/8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0b3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jake Yamaki (https://github.com/b6938236)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Steve Dower (https://github.com/zooba)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "To allow builds of Python to be run from an in-tree layout (rather than\u003cbr\u003ean installed file layout), the VPATH variable is defined at build time\u003cbr\u003eand used to locate certain landmarks - specifically,\u003cbr\u003eModules/setup.local. When this landmark is found relative to VPATH\u003cbr\u003erelative to the executable, Python assumes it is running in a source\u003cbr\u003etree and generates a different default sys.path. This code remains in\u003cbr\u003erelease builds, so that release-ready builds can be built in-tree.\u003cbr\u003e\u003cbr\u003eOn Windows, since builds are written to \u0027PCbuild/\u0027, the value of\u003cbr\u003eVPATH is set to \u0027..\\..\u0027, which results in a landmark of\u003cbr\u003e\u0027..\\..\\Modules\\setup.local\u0027. This path is outside the install directory\u003cbr\u003eof Python, and may have different permissions, potentially allowing a\u003cbr\u003elow-privilege user to create the landmark and an alternative `Lib`\u003cbr\u003efolder that will be discovered by an otherwise restricted install.\u003cbr\u003e\u003cbr\u003eSuch a setup occurs with the legacy default install location for all\u003cbr\u003eusers (in the now superseded EXE installer), due to how Windows allows\u003cbr\u003eall users to create folders in the root directory of their OS drive.\u003cbr\u003e\u003cbr\u003eOur recommended mitigation on Windows is to migrate away from the\u003cbr\u003elegacy installer and use the new [Python install\u003cbr\u003emanager](https://www.python.org/downloads/latest/pymanager/) to install\u003cbr\u003efor the current user. Installs where the directory two levels above the\u003cbr\u003ePython installation directory have equivalent permissions are unaffected\u003cbr\u003e(in general, a per-user install cannot be modified at all by other\u003cbr\u003eusers, removing any escalation of privilege risk, and could be directly\u003cbr\u003emodified by a privileged user, making the potential tampering\u003cbr\u003eirrelevant). Alternative mitigations might include preemptively creating\u003cbr\u003eand restricting access to a `Modules` directory. Be aware that only 3.13\u003cbr\u003eand 3.14 will receive updated legacy installers - earlier fixes are only\u003cbr\u003eprovided as sources.\u003cbr\u003e\u003cbr\u003ePlatforms other than Windows allow VPATH to be overridden, but as they\u003cbr\u003edon\u0027t usually use a separated directory in the build for binaries, are\u003cbr\u003eunlikely to have a landmark reference outside of the install directory.\u003cbr\u003e\u003cbr\u003eThe landmark detection involving VPATH is a fallback for when a more\u003cbr\u003especific landmark - .\\pybuilddir.txt - is absent, and was included for\u003cbr\u003ecompatibility. Future releases of Python will no longer include the\u003cbr\u003efallback, and so builds will need to generate or preserve the\u003cbr\u003epybuilddir.txt file in order to work in-tree. This landmark file has\u003cbr\u003ebeen generated on Windows since 3.11, and on other platforms for longer."
                }
              ],
              "value": "To allow builds of Python to be run from an in-tree layout (rather than\nan installed file layout), the VPATH variable is defined at build time\nand used to locate certain landmarks - specifically,\nModules/setup.local. When this landmark is found relative to VPATH\nrelative to the executable, Python assumes it is running in a source\ntree and generates a different default sys.path. This code remains in\nrelease builds, so that release-ready builds can be built in-tree.\n\nOn Windows, since builds are written to \u0027PCbuild/\u0027, the value of\nVPATH is set to \u0027..\\..\u0027, which results in a landmark of\n\u0027..\\..\\Modules\\setup.local\u0027. This path is outside the install directory\nof Python, and may have different permissions, potentially allowing a\nlow-privilege user to create the landmark and an alternative `Lib`\nfolder that will be discovered by an otherwise restricted install.\n\nSuch a setup occurs with the legacy default install location for all\nusers (in the now superseded EXE installer), due to how Windows allows\nall users to create folders in the root directory of their OS drive.\n\nOur recommended mitigation on Windows is to migrate away from the\nlegacy installer and use the new [Python install\nmanager](https://www.python.org/downloads/latest/pymanager/) to install\nfor the current user. Installs where the directory two levels above the\nPython installation directory have equivalent permissions are unaffected\n(in general, a per-user install cannot be modified at all by other\nusers, removing any escalation of privilege risk, and could be directly\nmodified by a privileged user, making the potential tampering\nirrelevant). Alternative mitigations might include preemptively creating\nand restricting access to a `Modules` directory. Be aware that only 3.13\nand 3.14 will receive updated legacy installers - earlier fixes are only\nprovided as sources.\n\nPlatforms other than Windows allow VPATH to be overridden, but as they\ndon\u0027t usually use a separated directory in the build for binaries, are\nunlikely to have a landmark reference outside of the install directory.\n\nThe landmark detection involving VPATH is a fallback for when a more\nspecific landmark - .\\pybuilddir.txt - is absent, and was included for\ncompatibility. Future releases of Python will no longer include the\nfallback, and so builds will need to generate or preserve the\npybuilddir.txt file in order to work in-tree. This landmark file has\nbeen generated on Windows since 3.11, and on other platforms for longer."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T17:55:53.735Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/151545"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/151544"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://https://mail.python.org/archives/list/security-announce@python.org/thread/JIFOBO7UX3LY4VJKJUOKYJV62CFR2IRH/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/16c40f944b7bff724a403cf4902763d095bb4b2a"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/9e863fab283eddca9c2a8f9d1ee30f4dc243e314"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/a86de0bc236fbb9452f98998fc8437e9fca35700"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/b93d6d3399adbd3a5037b6b92fc3587c85ac5d56"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CPython \u003e3.11 Insecure Input Validation resulting in privilege escalation",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-12003",
        "datePublished": "2026-06-16T15:18:42.998Z",
        "dateReserved": "2026-06-11T17:05:37.519Z",
        "dateUpdated": "2026-06-23T17:55:53.735Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9669 (GCVE-0-2026-9669)

    Vulnerability from nvd – Published: 2026-06-08 22:01 – Updated: 2026-07-07 16:59
    VLAI
    Title
    bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow
    Summary
    bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0 , < 3.14.6 (python)
    Affected: 3.15.0a1 , < 3.15.0b3 (python)
    Create a notification for this product.
    Credits
    Bitshift (https://github.com/TheShiftedBit) Emma Smith (https://github.com/emmatyping) Stan Ulbrych (https://github.com/StanFromIreland) Serhiy Storchaka (https://github.com/serhiy-storchaka)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-08T23:27:25.188Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/08/17"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9669",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-16T12:23:25.378543Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-16T12:23:44.258Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "bz2"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.6",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b3",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Bitshift (https://github.com/TheShiftedBit)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Emma Smith (https://github.com/emmatyping)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data."
                }
              ],
              "value": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T16:59:27.712Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/150600"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/150599"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/157a5df8cb5d82b33f918a7489e72ce95ceb12b6"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/5755d0f083949ff3c5bf3a37e673e24e306b036e"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/619a12b2e545391dc436b3af79dda22337382a6f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/d3ca26983dfbccdf609f24ff5877dc3118e4702d"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/938ec030e90c5e53f1faac6fab1643f14e4f4a79"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-9669",
        "datePublished": "2026-06-08T22:01:15.420Z",
        "dateReserved": "2026-05-27T03:13:18.152Z",
        "dateUpdated": "2026-07-07T16:59:27.712Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7774 (GCVE-0-2026-7774)

    Vulnerability from nvd – Published: 2026-06-04 14:21 – Updated: 2026-07-07 16:59
    VLAI
    Title
    tarfile.data_filter path traversal bypass allows writing outside the extraction directory
    Summary
    tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0 , < 3.14.6 (python)
    Affected: 3.15.0a1 , < 3.15.0b2 (python)
    Create a notification for this product.
    Credits
    Phùng Siêu Đạt (OPSWAT Unit 515) Seth Larson (https://github.com/sethmlarson) Gregory P. Smith (https://github.com/gpshead) Petr Viktorin (https://github.com/encukou) Stan Ulbrych (https://github.com/StanFromIreland)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7774",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T17:27:23.917872Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T17:27:34.304Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-04T18:45:41.657Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/04/9"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "tarfile"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.6",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b2",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ph\u00f9ng Si\u00eau \u0110\u1ea1t (OPSWAT Unit 515)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Gregory P. Smith (https://github.com/gpshead)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Petr Viktorin (https://github.com/encukou)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process."
                }
              ],
              "value": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T16:59:55.298Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/149487"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/149486"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/0478bd83d82b255e0f29f613367a59d261e7eaa2"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/0d28f5e46e151718972dfabd91205444d0037b6d"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/578411982c16f753f4893532510099ef665117da"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/5cf47a248c35c375d610b87b2f72fd1ed454b558"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/74cca9a92fb7d653e404843a56b8bdc7b0afdbbf"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/10a13bee3c24f9c62b602e696334ff2272a40efc"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/c063191cb7f9170f9565e305f8aa2b79ab2bf609"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "tarfile.data_filter path traversal bypass allows writing outside the extraction directory",
          "x_generator": {
            "engine": "Vulnogram 0.6.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-7774",
        "datePublished": "2026-06-04T14:21:23.904Z",
        "dateReserved": "2026-05-04T14:47:51.154Z",
        "dateUpdated": "2026-07-07T16:59:55.298Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3276 (GCVE-0-2026-3276)

    Vulnerability from nvd – Published: 2026-06-03 14:29 – Updated: 2026-06-16 14:54
    VLAI
    Title
    Potential DoS via quadratic complexity in unicodedata.normalize()
    Summary
    unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0 , < 3.14.6 (python)
    Affected: 3.15.0a1 , < 3.15.0b2 (python)
    Create a notification for this product.
    Credits
    Seokchan Yoon (https://github.com/ch4n3-yoon) Tim Peters (https://github.com/tim-one) Bénédikt Tran (https://github.com/picnixz) Serhiy Storchaka (https://github.com/serhiy-storchaka) Stan Ulbrych (https://github.com/StanFromIreland) Seth Larson (https://github.com/sethmlarson) Petr Viktorin (https://github.com/encukou)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3276",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T17:27:09.393265Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T17:27:19.179Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-03T19:18:17.828Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/03/15"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.6",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b2",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Seokchan Yoon (https://github.com/ch4n3-yoon)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Tim Peters (https://github.com/tim-one)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Petr Viktorin (https://github.com/encukou)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003eunicodedata.normalize()\u003c/span\u003e can take excessive CPU time when processing\u003cbr\u003especially crafted Unicode input containing long runs of combining characters\u003cbr\u003ewith alternating Canonical Combining Class values.\u003cbr\u003eThis affects all normalization forms."
                }
              ],
              "value": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T14:54:50.442Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/149080"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/149079"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Potential DoS via quadratic complexity in unicodedata.normalize()",
          "x_generator": {
            "engine": "Vulnogram 0.6.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-3276",
        "datePublished": "2026-06-03T14:29:39.727Z",
        "dateReserved": "2026-02-26T15:19:46.862Z",
        "dateUpdated": "2026-06-16T14:54:50.442Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8328 (GCVE-0-2026-8328)

    Vulnerability from nvd – Published: 2026-05-13 20:14 – Updated: 2026-06-30 15:09
    VLAI
    Title
    FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
    Summary
    The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side request forgery (SSRF)
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0 , < 3.14.6 (python)
    Affected: 3.15.0a1 , < 3.15.0b2 (python)
    Create a notification for this product.
    Credits
    Qi Deng (https://github.com/ikow) Bénédikt Tran (https://github.com/picnixz) Gregory P. Smith (https://github.com/gpshead)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8328",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T12:49:18.311219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T12:49:39.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "ftplib"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.6",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b2",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Qi Deng (https://github.com/ikow)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Gregory P. Smith (https://github.com/gpshead)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "\u003cdiv\u003eThe ftpcp() function in Lib/ftplib.py was not updated when \nCVE-2021-4189 was fixed. While makepasv() was patched to replace \nserver-supplied PASV host addresses with the actual peer address \n(getpeername()[0]), ftpcp() still calls parse227() directly and passes \nthe raw attacker-controllable IP address and port to target.sendport(). This patch is related to\u0026nbsp;CVE-2021-4189.\u003c/div\u003e"
                }
              ],
              "value": "The ftpcp() function in Lib/ftplib.py was not updated when \nCVE-2021-4189 was fixed. While makepasv() was patched to replace \nserver-supplied PASV host addresses with the actual peer address \n(getpeername()[0]), ftpcp() still calls parse227() directly and passes \nthe raw attacker-controllable IP address and port to target.sendport(). This patch is related to\u00a0CVE-2021-4189."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side request forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T15:09:29.230Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/87451"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/149648"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/5dadc64673ce875ebfb24163907777dae0f6ca06"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/7d95a1dc7382b55cba7fdd6a110336077584a4f0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/bb3446dda6c49b32e67c11dbbbf221b40be00763"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/c88704431ea3248ca769384c13856330976fac1d"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/2bbcf3fb7a420a05605576c0f9468d4675381b5f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/ef12d0dc824baccf737bba1458e5eed3d1e0fceb"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-8328",
        "datePublished": "2026-05-13T20:14:33.751Z",
        "dateReserved": "2026-05-11T15:06:00.859Z",
        "dateUpdated": "2026-06-30T15:09:29.230Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7210 (GCVE-0-2026-7210)

    Vulnerability from nvd – Published: 2026-05-11 17:19 – Updated: 2026-06-10 18:57
    VLAI
    Title
    The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
    Summary
    `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0 , < 3.14.6 (python)
    Affected: 3.15.0a1 , < 3.15.0b2 (python)
    Create a notification for this product.
    Credits
    Stan Ulbrych (https://github.com/StanFromIreland) Gregory P. Smith (https://github.com/gpshead)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7210",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:53:57.884366Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:54:12.868Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-05-11T20:34:17.811Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/11/8"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/11/13"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "xml",
                "expat"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.6",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b2",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Gregory P. Smith (https://github.com/gpshead)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."
                }
              ],
              "value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-331",
                  "description": "CWE-331 Insufficient entropy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T18:57:50.682Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/149023"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/149018"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-7210",
        "datePublished": "2026-05-11T17:19:09.784Z",
        "dateReserved": "2026-04-27T14:43:40.042Z",
        "dateUpdated": "2026-06-10T18:57:50.682Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3087 (GCVE-0-2026-3087)

    Vulnerability from nvd – Published: 2026-04-27 20:46 – Updated: 2026-06-10 18:04
    VLAI
    Title
    shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
    Summary
    If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0a1 , < 3.14.5rc1 (python)
    Affected: 3.15.0a1 , < 3.15.0b1 (python)
    Create a notification for this product.
    Credits
    Serhiy Storchaka (https://github.com/serhiy-storchaka) Seth Larson (https://github.com/sethmlarson) GGAutomaton (https://github.com/GGAutomaton)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-04-28T05:07:42.331Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/04/28/9"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3087",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T13:38:08.747185Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T14:35:55.942Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "shutil"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.5rc1",
                  "status": "affected",
                  "version": "3.14.0a1",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b1",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "GGAutomaton (https://github.com/GGAutomaton)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."
                }
              ],
              "value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T18:04:43.260Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/146591"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/146581"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "shutil.unpack_archive() doesn\u0027t check for Windows absolute paths in ZIPs",
          "x_generator": {
            "engine": "Vulnogram 0.6.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-3087",
        "datePublished": "2026-04-27T20:46:43.201Z",
        "dateReserved": "2026-02-23T23:14:46.433Z",
        "dateUpdated": "2026-06-10T18:04:43.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6019 (GCVE-0-2026-6019)

    Vulnerability from nvd – Published: 2026-04-22 19:28 – Updated: 2026-06-10 18:58
    VLAI
    Title
    BaseCookie.js_output() does not neutralize embedded characters
    Summary
    http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-150 - Improper neutralization of escape, meta, or control sequences
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0a1 , < 3.14.5rc1 (python)
    Affected: 3.15.0a1 , < 3.15.0b1 (python)
    Create a notification for this product.
    Credits
    oolongeya (https://github.com/komi22) Seth Larson (https://github.com/sethmlarson)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6019",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T20:02:17.071906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T20:02:34.468Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.5rc1",
                  "status": "affected",
                  "version": "3.14.0a1",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b1",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "oolongeya (https://github.com/komi22)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ehttp.cookies.Morsel.js_output()\u003c/code\u003e returns an inline \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e snippet and only escapes \u003ccode\u003e\"\u003c/code\u003e for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003ccode\u003e\u0026lt;/script\u0026gt;\u003c/code\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value."
                }
              ],
              "value": "http.cookies.Morsel.js_output() returns an inline \u003cscript\u003e snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003c/script\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-150",
                  "description": "CWE-150 Improper neutralization of escape, meta, or control sequences",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T18:58:07.798Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/148848"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/90309"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "BaseCookie.js_output() does not neutralize embedded characters",
          "x_generator": {
            "engine": "Vulnogram 0.6.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-6019",
        "datePublished": "2026-04-22T19:28:08.720Z",
        "dateReserved": "2026-04-09T15:35:00.668Z",
        "dateUpdated": "2026-06-10T18:58:07.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3298 (GCVE-0-2026-3298)

    Vulnerability from nvd – Published: 2026-04-21 14:45 – Updated: 2026-06-10 18:05
    VLAI
    Title
    Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes
    Summary
    The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 3.11.0 , < 3.13.14 (python)
    Affected: 3.14.0a1 , < 3.14.5rc1 (python)
    Affected: 3.15.0a1 , < 3.15.0b1 (python)
    Create a notification for this product.
    Credits
    GGAutomaton (https://github.com/GGAutomaton) Victor Stinner (https://github.com/vstinner) Seth Larson (https://github.com/sethmlarson)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3298",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-21T19:15:36.206348Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-21T19:15:44.557Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "3.11.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.5rc1",
                  "status": "affected",
                  "version": "3.14.0a1",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b1",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "GGAutomaton (https://github.com/GGAutomaton)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Victor Stinner (https://github.com/vstinner)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."
                }
              ],
              "value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787 Out-of-bounds write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T18:05:02.868Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/148809"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/148808"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/KWTPIQBOOOUNQP7UFSLBI437NJDFLA3F/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/1274766d3c29007ab77245a72abbf8dce2a9db4d"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/27522b7d6e6588f03e61099dd858cd5a9314e2f2"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/95633d2aad4721e25e4dfd9f43dfb6e1edcbd741"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-3298",
        "datePublished": "2026-04-21T14:45:01.919Z",
        "dateReserved": "2026-02-26T20:12:47.041Z",
        "dateUpdated": "2026-06-10T18:05:02.868Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5713 (GCVE-0-2026-5713)

    Vulnerability from nvd – Published: 2026-04-14 15:11 – Updated: 2026-06-10 18:58
    VLAI
    Title
    Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target
    Summary
    The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 3.14.0 , < 3.14.5 (python)
    Affected: 3.15.0a1 , < 3.15.0b1 (python)
    Create a notification for this product.
    Credits
    Nicholas Gould (https://github.com/gouldnicholas) Pablo Galindo Salgado Pablo Galindo Salgado
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5713",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-14T15:49:26.893551Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-14T15:49:38.323Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-04-15T17:24:22.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/04/15/6"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.14.5",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b1",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Nicholas Gould (https://github.com/gouldnicholas)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Pablo Galindo Salgado"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Pablo Galindo Salgado"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR."
                }
              ],
              "value": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125 Out-of-bounds read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T18:58:12.898Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/148187"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/148178"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/OG4RHARYSNIE22GGOMVMCRH76L5HKPLM/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/289fd2c97a7e5aecb8b69f94f5e838ccfeee7e67"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/316f6265b7f9ca4ffed5346b747475ef1943f35d"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target",
          "x_generator": {
            "engine": "Vulnogram 0.6.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-5713",
        "datePublished": "2026-04-14T15:11:51.122Z",
        "dateReserved": "2026-04-06T17:16:14.111Z",
        "dateUpdated": "2026-06-10T18:58:12.898Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15308 (GCVE-0-2026-15308)

    Vulnerability from cvelistv5 – Published: 2026-07-09 17:10 – Updated: 2026-07-09 19:32
    VLAI
    Title
    Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
    Summary
    The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
    Create a notification for this product.
    Credits
    Edward-x (https://github.com/YLChen-007) Serhiy Storchaka (https://github.com/serhiy-storchaka) Gregory P. Smith (https://github.com/gpshead) Seth Larson (https://github.com/sethmlarson)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15308",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T17:31:19.781935Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T17:31:27.360Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-09T19:32:36.790Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/09/4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "html.parser",
                "html"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Edward-x (https://github.com/YLChen-007)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Gregory P. Smith (https://github.com/gpshead)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The incremental HTML parser (html.parser.HTMLParser) allows for CPU\ndenial-of-service through repeated unterminated markup declarations when\nprocessing uncontrolled data."
                }
              ],
              "value": "The incremental HTML parser (html.parser.HTMLParser) allows for CPU\ndenial-of-service through repeated unterminated markup declarations when\nprocessing uncontrolled data."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T19:00:03.303Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F6453LWKSHKCTWFLCOURWPLETNUIW2Z5/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/153031"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/153030"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/07efb08123ba9367a7107325adb9d5626dca1ca9"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/7933f4bf7131aa4140750f9404f5de0aa2969ced"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/bcf98ddbc40ec9b3ee87da0124a5660b19b7e606"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/e9f92ac0b298292e7ff998e52cb8ccacfb27a0bd"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-15308",
        "datePublished": "2026-07-09T17:10:57.317Z",
        "dateReserved": "2026-07-09T17:04:11.926Z",
        "dateUpdated": "2026-07-09T19:32:36.790Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4360 (GCVE-0-2026-4360)

    Vulnerability from cvelistv5 – Published: 2026-06-30 14:45 – Updated: 2026-07-07 17:01
    VLAI
    Title
    Tarfile.extract() doesn't fully respect filter parameter
    Summary
    In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
    Create a notification for this product.
    Credits
    Michael Scovetta (https://github.com/scovetta) Seth Larson (https://github.com/sethmlarson) Petr Viktorin (https://github.com/encukou)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4360",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-30T15:28:24.835246Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T15:28:30.201Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "tarfile"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Michael Scovetta (https://github.com/scovetta)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Petr Viktorin (https://github.com/encukou)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter=\u0027data\u0027 to the extract() function."
                }
              ],
              "value": "In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter=\u0027data\u0027 to the extract() function."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-281",
                  "description": "CWE-281",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T17:01:15.080Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/TWZW2PC2AZOV6FENIHFSRC63OM7MBGSB/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/151988"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/151987"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/5e0ef3f1afe892e4f64eb83368db57ac4c40cba0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/7b57e8d51446297b8c7c482d224bc5f1938e4301"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/7ccdbaba2c54250a70d7f25632152df7655a5e0a"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/eee3ddf0ca10283cc7fea724aae9cd8665f8d15e"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/d2b2f5eacab4dd48446b63340613b05dcbbf0b44"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Tarfile.extract() doesn\u0027t fully respect filter parameter",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-4360",
        "datePublished": "2026-06-30T14:45:35.601Z",
        "dateReserved": "2026-03-17T19:25:46.527Z",
        "dateUpdated": "2026-07-07T17:01:15.080Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11972 (GCVE-0-2026-11972)

    Vulnerability from cvelistv5 – Published: 2026-06-23 22:02 – Updated: 2026-06-30 15:13
    VLAI
    Title
    tarfile opened in streaming mode mishandles EOF
    Summary
    When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
    Create a notification for this product.
    Credits
    Ryan Hileman (https://github.com/lunixbochs) Petr Viktorin (https://github.com/encukou) Stan Ulbrych (https://github.com/StanFromIreland)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11972",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T15:33:49.665045Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T15:34:06.959Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "tarfile"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ryan Hileman (https://github.com/lunixbochs)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Petr Viktorin (https://github.com/encukou)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "When using the \"tarfile\" module with a file opened in \"streaming mode\" (mode=\"r|\") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer."
                }
              ],
              "value": "When using the \"tarfile\" module with a file opened in \"streaming mode\" (mode=\"r|\") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-252",
                  "description": "CWE-252",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-606",
                  "description": "CWE-606",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T15:13:21.383Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/151981"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/151982"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AXPSKKTSRKXTTJULW3XSIC74WZNAAPPB/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/3f031d431f80668e14f3bc066bbf4369cd9281b9"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/4ce6bf7c8aa7725828a38981c306f214c1f29365"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/7f0dc59c9a70f8f3b4da33d7c4a2ba552a7acc21"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/e86666c9dd256d52d0fbef6feb1ea4a51768fdec"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/eb63c0f94dfcbea7fda8eab6213818e134d67192"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "tarfile opened in streaming mode mishandles EOF",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-11972",
        "datePublished": "2026-06-23T22:02:45.434Z",
        "dateReserved": "2026-06-11T11:35:05.520Z",
        "dateUpdated": "2026-06-30T15:13:21.383Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0864 (GCVE-0-2026-0864)

    Vulnerability from cvelistv5 – Published: 2026-06-23 17:42 – Updated: 2026-06-24 12:55
    VLAI
    Title
    Configuration Injection via Carriage Return (\r) in write() method
    Summary
    When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
    Create a notification for this product.
    Credits
    D0n9 (https://github.com/D0n9) Petr Viktorin (https://github.com/encukou) Seth Larson (https://github.com/sethmlarson)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0864",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T18:34:23.504725Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-74",
                    "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T18:34:49.788Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "D0n9 (https://github.com/D0n9)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Petr Viktorin (https://github.com/encukou)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "When using the \"configparser\" module to write configuration files\ncontaining multi-line text values with carriage return characters (\\r) the\nresulting file could be injected with unexpected keys and values if the\nattacker controls the written value."
                }
              ],
              "value": "When using the \"configparser\" module to write configuration files\ncontaining multi-line text values with carriage return characters (\\r) the\nresulting file could be injected with unexpected keys and values if the\nattacker controls the written value."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 4.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T12:55:42.471Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/151559"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/143927"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/0adb386f6e68eb2e73d32e19f235d012df009528"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/71f2e02a52d47417a6fd69f456346cd8aa7aca98"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/aaf850fd333cd89e9aada03d92aaa788a6cb1bb8"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Configuration Injection via Carriage Return (\\r) in write() method",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-0864",
        "datePublished": "2026-06-23T17:42:01.947Z",
        "dateReserved": "2026-01-12T16:07:55.453Z",
        "dateUpdated": "2026-06-24T12:55:42.471Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11940 (GCVE-0-2026-11940)

    Vulnerability from cvelistv5 – Published: 2026-06-23 16:04 – Updated: 2026-06-30 15:13
    VLAI
    Title
    tarfile extraction filter bypass allows escaping the destination directory
    Summary
    tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself.  The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower path, letting a relative target the filter judged contained escape the destination directory.  This allowed a malicious tar archive to create a symlink pointing outside the destination, enabling out-of-destination file reads or writes. This was an incomplete fix of CVE-2025-4330.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0 (python)
    Create a notification for this product.
    Credits
    Haruki Oyama (https://github.com/harukioya) Stan Ulbrych (https://github.com/StanFromIreland) Petr Viktorin (https://github.com/encukou)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11940",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T17:57:25.652265Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T17:57:32.525Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Haruki Oyama (https://github.com/harukioya)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Petr Viktorin (https://github.com/encukou)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "\u003cspan\u003etarfile.extractall()\u003c/span\u003e with the \u003cspan\u003e\u0027data\u0027\u003c/span\u003e or \u003cspan\u003e\u0027tar\u0027\u003c/span\u003e\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u0026nbsp; \nThe extraction fallback validated the symlink at it\u0027s archived location \nbut recreated it at the hardlink\u0027s shallower\u003cbr\u003epath, letting a relative\n target the filter judged contained escape the destination directory.\u0026nbsp; \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330."
                }
              ],
              "value": "tarfile.extractall() with the \u0027data\u0027 or \u0027tar\u0027\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u00a0 \nThe extraction fallback validated the symlink at it\u0027s archived location \nbut recreated it at the hardlink\u0027s shallower\npath, letting a relative\n target the filter judged contained escape the destination directory.\u00a0 \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T15:13:33.568Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/151559"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/LD6QIISNQFQYOIEPJNEUIPV7S3V76FZH/"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/151558"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/672825e2f36a57e173959b0d9d409d4560dab8df"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/771d12dda5140313db0ac550292987975651bbde"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/79c06bd5c6afa3c440d50faf7ee1b147c8832b4c"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/be13e86f6b9788a6f4d0419dffef72cbae5865c9"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "tarfile extraction filter bypass allows escaping the destination directory",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-11940",
        "datePublished": "2026-06-23T16:04:17.321Z",
        "dateReserved": "2026-06-10T19:50:59.923Z",
        "dateUpdated": "2026-06-30T15:13:33.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12003 (GCVE-0-2026-12003)

    Vulnerability from cvelistv5 – Published: 2026-06-16 15:18 – Updated: 2026-06-23 17:55
    VLAI
    Title
    CPython >3.11 Insecure Input Validation resulting in privilege escalation
    Summary
    To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '..\..', which results in a landmark of '..\..\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.15.0b3 (python)
    Create a notification for this product.
    Credits
    Jake Yamaki (https://github.com/b6938236) Steve Dower (https://github.com/zooba)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12003",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-16T17:53:54.916961Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-16T17:56:25.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-16T19:12:36.706Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/16/8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.15.0b3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jake Yamaki (https://github.com/b6938236)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Steve Dower (https://github.com/zooba)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "To allow builds of Python to be run from an in-tree layout (rather than\u003cbr\u003ean installed file layout), the VPATH variable is defined at build time\u003cbr\u003eand used to locate certain landmarks - specifically,\u003cbr\u003eModules/setup.local. When this landmark is found relative to VPATH\u003cbr\u003erelative to the executable, Python assumes it is running in a source\u003cbr\u003etree and generates a different default sys.path. This code remains in\u003cbr\u003erelease builds, so that release-ready builds can be built in-tree.\u003cbr\u003e\u003cbr\u003eOn Windows, since builds are written to \u0027PCbuild/\u0027, the value of\u003cbr\u003eVPATH is set to \u0027..\\..\u0027, which results in a landmark of\u003cbr\u003e\u0027..\\..\\Modules\\setup.local\u0027. This path is outside the install directory\u003cbr\u003eof Python, and may have different permissions, potentially allowing a\u003cbr\u003elow-privilege user to create the landmark and an alternative `Lib`\u003cbr\u003efolder that will be discovered by an otherwise restricted install.\u003cbr\u003e\u003cbr\u003eSuch a setup occurs with the legacy default install location for all\u003cbr\u003eusers (in the now superseded EXE installer), due to how Windows allows\u003cbr\u003eall users to create folders in the root directory of their OS drive.\u003cbr\u003e\u003cbr\u003eOur recommended mitigation on Windows is to migrate away from the\u003cbr\u003elegacy installer and use the new [Python install\u003cbr\u003emanager](https://www.python.org/downloads/latest/pymanager/) to install\u003cbr\u003efor the current user. Installs where the directory two levels above the\u003cbr\u003ePython installation directory have equivalent permissions are unaffected\u003cbr\u003e(in general, a per-user install cannot be modified at all by other\u003cbr\u003eusers, removing any escalation of privilege risk, and could be directly\u003cbr\u003emodified by a privileged user, making the potential tampering\u003cbr\u003eirrelevant). Alternative mitigations might include preemptively creating\u003cbr\u003eand restricting access to a `Modules` directory. Be aware that only 3.13\u003cbr\u003eand 3.14 will receive updated legacy installers - earlier fixes are only\u003cbr\u003eprovided as sources.\u003cbr\u003e\u003cbr\u003ePlatforms other than Windows allow VPATH to be overridden, but as they\u003cbr\u003edon\u0027t usually use a separated directory in the build for binaries, are\u003cbr\u003eunlikely to have a landmark reference outside of the install directory.\u003cbr\u003e\u003cbr\u003eThe landmark detection involving VPATH is a fallback for when a more\u003cbr\u003especific landmark - .\\pybuilddir.txt - is absent, and was included for\u003cbr\u003ecompatibility. Future releases of Python will no longer include the\u003cbr\u003efallback, and so builds will need to generate or preserve the\u003cbr\u003epybuilddir.txt file in order to work in-tree. This landmark file has\u003cbr\u003ebeen generated on Windows since 3.11, and on other platforms for longer."
                }
              ],
              "value": "To allow builds of Python to be run from an in-tree layout (rather than\nan installed file layout), the VPATH variable is defined at build time\nand used to locate certain landmarks - specifically,\nModules/setup.local. When this landmark is found relative to VPATH\nrelative to the executable, Python assumes it is running in a source\ntree and generates a different default sys.path. This code remains in\nrelease builds, so that release-ready builds can be built in-tree.\n\nOn Windows, since builds are written to \u0027PCbuild/\u0027, the value of\nVPATH is set to \u0027..\\..\u0027, which results in a landmark of\n\u0027..\\..\\Modules\\setup.local\u0027. This path is outside the install directory\nof Python, and may have different permissions, potentially allowing a\nlow-privilege user to create the landmark and an alternative `Lib`\nfolder that will be discovered by an otherwise restricted install.\n\nSuch a setup occurs with the legacy default install location for all\nusers (in the now superseded EXE installer), due to how Windows allows\nall users to create folders in the root directory of their OS drive.\n\nOur recommended mitigation on Windows is to migrate away from the\nlegacy installer and use the new [Python install\nmanager](https://www.python.org/downloads/latest/pymanager/) to install\nfor the current user. Installs where the directory two levels above the\nPython installation directory have equivalent permissions are unaffected\n(in general, a per-user install cannot be modified at all by other\nusers, removing any escalation of privilege risk, and could be directly\nmodified by a privileged user, making the potential tampering\nirrelevant). Alternative mitigations might include preemptively creating\nand restricting access to a `Modules` directory. Be aware that only 3.13\nand 3.14 will receive updated legacy installers - earlier fixes are only\nprovided as sources.\n\nPlatforms other than Windows allow VPATH to be overridden, but as they\ndon\u0027t usually use a separated directory in the build for binaries, are\nunlikely to have a landmark reference outside of the install directory.\n\nThe landmark detection involving VPATH is a fallback for when a more\nspecific landmark - .\\pybuilddir.txt - is absent, and was included for\ncompatibility. Future releases of Python will no longer include the\nfallback, and so builds will need to generate or preserve the\npybuilddir.txt file in order to work in-tree. This landmark file has\nbeen generated on Windows since 3.11, and on other platforms for longer."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T17:55:53.735Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/151545"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/151544"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://https://mail.python.org/archives/list/security-announce@python.org/thread/JIFOBO7UX3LY4VJKJUOKYJV62CFR2IRH/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/16c40f944b7bff724a403cf4902763d095bb4b2a"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/9e863fab283eddca9c2a8f9d1ee30f4dc243e314"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/a86de0bc236fbb9452f98998fc8437e9fca35700"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/b93d6d3399adbd3a5037b6b92fc3587c85ac5d56"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CPython \u003e3.11 Insecure Input Validation resulting in privilege escalation",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-12003",
        "datePublished": "2026-06-16T15:18:42.998Z",
        "dateReserved": "2026-06-11T17:05:37.519Z",
        "dateUpdated": "2026-06-23T17:55:53.735Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9669 (GCVE-0-2026-9669)

    Vulnerability from cvelistv5 – Published: 2026-06-08 22:01 – Updated: 2026-07-07 16:59
    VLAI
    Title
    bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow
    Summary
    bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0 , < 3.14.6 (python)
    Affected: 3.15.0a1 , < 3.15.0b3 (python)
    Create a notification for this product.
    Credits
    Bitshift (https://github.com/TheShiftedBit) Emma Smith (https://github.com/emmatyping) Stan Ulbrych (https://github.com/StanFromIreland) Serhiy Storchaka (https://github.com/serhiy-storchaka)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-08T23:27:25.188Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/08/17"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9669",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-16T12:23:25.378543Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-16T12:23:44.258Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "bz2"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.6",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b3",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Bitshift (https://github.com/TheShiftedBit)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Emma Smith (https://github.com/emmatyping)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data."
                }
              ],
              "value": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T16:59:27.712Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/150600"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/150599"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/157a5df8cb5d82b33f918a7489e72ce95ceb12b6"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/5755d0f083949ff3c5bf3a37e673e24e306b036e"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/619a12b2e545391dc436b3af79dda22337382a6f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/d3ca26983dfbccdf609f24ff5877dc3118e4702d"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/938ec030e90c5e53f1faac6fab1643f14e4f4a79"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-9669",
        "datePublished": "2026-06-08T22:01:15.420Z",
        "dateReserved": "2026-05-27T03:13:18.152Z",
        "dateUpdated": "2026-07-07T16:59:27.712Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7774 (GCVE-0-2026-7774)

    Vulnerability from cvelistv5 – Published: 2026-06-04 14:21 – Updated: 2026-07-07 16:59
    VLAI
    Title
    tarfile.data_filter path traversal bypass allows writing outside the extraction directory
    Summary
    tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0 , < 3.14.6 (python)
    Affected: 3.15.0a1 , < 3.15.0b2 (python)
    Create a notification for this product.
    Credits
    Phùng Siêu Đạt (OPSWAT Unit 515) Seth Larson (https://github.com/sethmlarson) Gregory P. Smith (https://github.com/gpshead) Petr Viktorin (https://github.com/encukou) Stan Ulbrych (https://github.com/StanFromIreland)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7774",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T17:27:23.917872Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T17:27:34.304Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-04T18:45:41.657Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/04/9"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "tarfile"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.6",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b2",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ph\u00f9ng Si\u00eau \u0110\u1ea1t (OPSWAT Unit 515)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Gregory P. Smith (https://github.com/gpshead)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Petr Viktorin (https://github.com/encukou)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process."
                }
              ],
              "value": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T16:59:55.298Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/149487"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/149486"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/0478bd83d82b255e0f29f613367a59d261e7eaa2"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/0d28f5e46e151718972dfabd91205444d0037b6d"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/578411982c16f753f4893532510099ef665117da"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/5cf47a248c35c375d610b87b2f72fd1ed454b558"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/74cca9a92fb7d653e404843a56b8bdc7b0afdbbf"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/10a13bee3c24f9c62b602e696334ff2272a40efc"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/c063191cb7f9170f9565e305f8aa2b79ab2bf609"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "tarfile.data_filter path traversal bypass allows writing outside the extraction directory",
          "x_generator": {
            "engine": "Vulnogram 0.6.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-7774",
        "datePublished": "2026-06-04T14:21:23.904Z",
        "dateReserved": "2026-05-04T14:47:51.154Z",
        "dateUpdated": "2026-07-07T16:59:55.298Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3276 (GCVE-0-2026-3276)

    Vulnerability from cvelistv5 – Published: 2026-06-03 14:29 – Updated: 2026-06-16 14:54
    VLAI
    Title
    Potential DoS via quadratic complexity in unicodedata.normalize()
    Summary
    unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0 , < 3.14.6 (python)
    Affected: 3.15.0a1 , < 3.15.0b2 (python)
    Create a notification for this product.
    Credits
    Seokchan Yoon (https://github.com/ch4n3-yoon) Tim Peters (https://github.com/tim-one) Bénédikt Tran (https://github.com/picnixz) Serhiy Storchaka (https://github.com/serhiy-storchaka) Stan Ulbrych (https://github.com/StanFromIreland) Seth Larson (https://github.com/sethmlarson) Petr Viktorin (https://github.com/encukou)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3276",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T17:27:09.393265Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T17:27:19.179Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-06-03T19:18:17.828Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/06/03/15"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.6",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b2",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Seokchan Yoon (https://github.com/ch4n3-yoon)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Tim Peters (https://github.com/tim-one)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Petr Viktorin (https://github.com/encukou)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003eunicodedata.normalize()\u003c/span\u003e can take excessive CPU time when processing\u003cbr\u003especially crafted Unicode input containing long runs of combining characters\u003cbr\u003ewith alternating Canonical Combining Class values.\u003cbr\u003eThis affects all normalization forms."
                }
              ],
              "value": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T14:54:50.442Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/149080"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/149079"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Potential DoS via quadratic complexity in unicodedata.normalize()",
          "x_generator": {
            "engine": "Vulnogram 0.6.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-3276",
        "datePublished": "2026-06-03T14:29:39.727Z",
        "dateReserved": "2026-02-26T15:19:46.862Z",
        "dateUpdated": "2026-06-16T14:54:50.442Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8328 (GCVE-0-2026-8328)

    Vulnerability from cvelistv5 – Published: 2026-05-13 20:14 – Updated: 2026-06-30 15:09
    VLAI
    Title
    FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
    Summary
    The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side request forgery (SSRF)
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0 , < 3.14.6 (python)
    Affected: 3.15.0a1 , < 3.15.0b2 (python)
    Create a notification for this product.
    Credits
    Qi Deng (https://github.com/ikow) Bénédikt Tran (https://github.com/picnixz) Gregory P. Smith (https://github.com/gpshead)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8328",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T12:49:18.311219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T12:49:39.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "ftplib"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.6",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b2",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Qi Deng (https://github.com/ikow)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Gregory P. Smith (https://github.com/gpshead)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "\u003cdiv\u003eThe ftpcp() function in Lib/ftplib.py was not updated when \nCVE-2021-4189 was fixed. While makepasv() was patched to replace \nserver-supplied PASV host addresses with the actual peer address \n(getpeername()[0]), ftpcp() still calls parse227() directly and passes \nthe raw attacker-controllable IP address and port to target.sendport(). This patch is related to\u0026nbsp;CVE-2021-4189.\u003c/div\u003e"
                }
              ],
              "value": "The ftpcp() function in Lib/ftplib.py was not updated when \nCVE-2021-4189 was fixed. While makepasv() was patched to replace \nserver-supplied PASV host addresses with the actual peer address \n(getpeername()[0]), ftpcp() still calls parse227() directly and passes \nthe raw attacker-controllable IP address and port to target.sendport(). This patch is related to\u00a0CVE-2021-4189."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side request forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T15:09:29.230Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/87451"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/149648"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/5dadc64673ce875ebfb24163907777dae0f6ca06"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/7d95a1dc7382b55cba7fdd6a110336077584a4f0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/bb3446dda6c49b32e67c11dbbbf221b40be00763"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/c88704431ea3248ca769384c13856330976fac1d"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/2bbcf3fb7a420a05605576c0f9468d4675381b5f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/ef12d0dc824baccf737bba1458e5eed3d1e0fceb"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-8328",
        "datePublished": "2026-05-13T20:14:33.751Z",
        "dateReserved": "2026-05-11T15:06:00.859Z",
        "dateUpdated": "2026-06-30T15:09:29.230Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7210 (GCVE-0-2026-7210)

    Vulnerability from cvelistv5 – Published: 2026-05-11 17:19 – Updated: 2026-06-10 18:57
    VLAI
    Title
    The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
    Summary
    `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0 , < 3.14.6 (python)
    Affected: 3.15.0a1 , < 3.15.0b2 (python)
    Create a notification for this product.
    Credits
    Stan Ulbrych (https://github.com/StanFromIreland) Gregory P. Smith (https://github.com/gpshead)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7210",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:53:57.884366Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:54:12.868Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-05-11T20:34:17.811Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/11/8"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/11/13"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "xml",
                "expat"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.6",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b2",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Stan Ulbrych (https://github.com/StanFromIreland)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Gregory P. Smith (https://github.com/gpshead)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."
                }
              ],
              "value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-331",
                  "description": "CWE-331 Insufficient entropy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T18:57:50.682Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/149023"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/149018"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-7210",
        "datePublished": "2026-05-11T17:19:09.784Z",
        "dateReserved": "2026-04-27T14:43:40.042Z",
        "dateUpdated": "2026-06-10T18:57:50.682Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3087 (GCVE-0-2026-3087)

    Vulnerability from cvelistv5 – Published: 2026-04-27 20:46 – Updated: 2026-06-10 18:04
    VLAI
    Title
    shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
    Summary
    If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0a1 , < 3.14.5rc1 (python)
    Affected: 3.15.0a1 , < 3.15.0b1 (python)
    Create a notification for this product.
    Credits
    Serhiy Storchaka (https://github.com/serhiy-storchaka) Seth Larson (https://github.com/sethmlarson) GGAutomaton (https://github.com/GGAutomaton)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-04-28T05:07:42.331Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/04/28/9"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3087",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T13:38:08.747185Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T14:35:55.942Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "shutil"
              ],
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.5rc1",
                  "status": "affected",
                  "version": "3.14.0a1",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b1",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "GGAutomaton (https://github.com/GGAutomaton)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."
                }
              ],
              "value": "If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T18:04:43.260Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/146591"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/146581"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE5C6KDKOVNX3EC3DWD5RUPFWOZA4/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/ab5ef98af693bded74a738570e81ea70abef2840"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/b01e594fbe754a960212f908d047294e880b52fd"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/fc829e88753858c8ac669594bf0093f44948c0f4"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/65b255416ae217bf0e22085be3c1976cea18bd8c"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/8e13025747e1ca72e86d1f35637123f9c306f0cb"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/8ee6aff14054b37b53e47194a2fa313e98163c94"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "shutil.unpack_archive() doesn\u0027t check for Windows absolute paths in ZIPs",
          "x_generator": {
            "engine": "Vulnogram 0.6.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-3087",
        "datePublished": "2026-04-27T20:46:43.201Z",
        "dateReserved": "2026-02-23T23:14:46.433Z",
        "dateUpdated": "2026-06-10T18:04:43.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6019 (GCVE-0-2026-6019)

    Vulnerability from cvelistv5 – Published: 2026-04-22 19:28 – Updated: 2026-06-10 18:58
    VLAI
    Title
    BaseCookie.js_output() does not neutralize embedded characters
    Summary
    http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-150 - Improper neutralization of escape, meta, or control sequences
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
    Affected: 3.14.0a1 , < 3.14.5rc1 (python)
    Affected: 3.15.0a1 , < 3.15.0b1 (python)
    Create a notification for this product.
    Credits
    oolongeya (https://github.com/komi22) Seth Larson (https://github.com/sethmlarson)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6019",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T20:02:17.071906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T20:02:34.468Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.5rc1",
                  "status": "affected",
                  "version": "3.14.0a1",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b1",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "oolongeya (https://github.com/komi22)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003ehttp.cookies.Morsel.js_output()\u003c/code\u003e returns an inline \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e snippet and only escapes \u003ccode\u003e\"\u003c/code\u003e for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003ccode\u003e\u0026lt;/script\u0026gt;\u003c/code\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value."
                }
              ],
              "value": "http.cookies.Morsel.js_output() returns an inline \u003cscript\u003e snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003c/script\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-150",
                  "description": "CWE-150 Improper neutralization of escape, meta, or control sequences",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T18:58:07.798Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/148848"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/90309"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "BaseCookie.js_output() does not neutralize embedded characters",
          "x_generator": {
            "engine": "Vulnogram 0.6.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-6019",
        "datePublished": "2026-04-22T19:28:08.720Z",
        "dateReserved": "2026-04-09T15:35:00.668Z",
        "dateUpdated": "2026-06-10T18:58:07.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3298 (GCVE-0-2026-3298)

    Vulnerability from cvelistv5 – Published: 2026-04-21 14:45 – Updated: 2026-06-10 18:05
    VLAI
    Title
    Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes
    Summary
    The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 3.11.0 , < 3.13.14 (python)
    Affected: 3.14.0a1 , < 3.14.5rc1 (python)
    Affected: 3.15.0a1 , < 3.15.0b1 (python)
    Create a notification for this product.
    Credits
    GGAutomaton (https://github.com/GGAutomaton) Victor Stinner (https://github.com/vstinner) Seth Larson (https://github.com/sethmlarson)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3298",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-21T19:15:36.206348Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-21T19:15:44.557Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.13.14",
                  "status": "affected",
                  "version": "3.11.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.14.5rc1",
                  "status": "affected",
                  "version": "3.14.0a1",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b1",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "GGAutomaton (https://github.com/GGAutomaton)"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Victor Stinner (https://github.com/vstinner)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Seth Larson (https://github.com/sethmlarson)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "type": "text/html",
                  "value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."
                }
              ],
              "value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787 Out-of-bounds write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T18:05:02.868Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/148809"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/148808"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/KWTPIQBOOOUNQP7UFSLBI437NJDFLA3F/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/1274766d3c29007ab77245a72abbf8dce2a9db4d"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/27522b7d6e6588f03e61099dd858cd5a9314e2f2"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/95633d2aad4721e25e4dfd9f43dfb6e1edcbd741"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-3298",
        "datePublished": "2026-04-21T14:45:01.919Z",
        "dateReserved": "2026-02-26T20:12:47.041Z",
        "dateUpdated": "2026-06-10T18:05:02.868Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5713 (GCVE-0-2026-5713)

    Vulnerability from cvelistv5 – Published: 2026-04-14 15:11 – Updated: 2026-06-10 18:58
    VLAI
    Title
    Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target
    Summary
    The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    PSF
    Impacted products
    Vendor Product Version
    Python Software Foundation CPython Affected: 3.14.0 , < 3.14.5 (python)
    Affected: 3.15.0a1 , < 3.15.0b1 (python)
    Create a notification for this product.
    Credits
    Nicholas Gould (https://github.com/gouldnicholas) Pablo Galindo Salgado Pablo Galindo Salgado
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5713",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-14T15:49:26.893551Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-14T15:49:38.323Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-04-15T17:24:22.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/04/15/6"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CPython",
              "repo": "https://github.com/python/cpython",
              "vendor": "Python Software Foundation",
              "versions": [
                {
                  "lessThan": "3.14.5",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "python"
                },
                {
                  "lessThan": "3.15.0b1",
                  "status": "affected",
                  "version": "3.15.0a1",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Nicholas Gould (https://github.com/gouldnicholas)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Pablo Galindo Salgado"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Pablo Galindo Salgado"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR."
                }
              ],
              "value": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125 Out-of-bounds read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T18:58:12.898Z",
            "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
            "shortName": "PSF"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/pull/148187"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/python/cpython/issues/148178"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/OG4RHARYSNIE22GGOMVMCRH76L5HKPLM/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/289fd2c97a7e5aecb8b69f94f5e838ccfeee7e67"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/python/cpython/commit/316f6265b7f9ca4ffed5346b747475ef1943f35d"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target",
          "x_generator": {
            "engine": "Vulnogram 0.6.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "assignerShortName": "PSF",
        "cveId": "CVE-2026-5713",
        "datePublished": "2026-04-14T15:11:51.122Z",
        "dateReserved": "2026-04-06T17:16:14.111Z",
        "dateUpdated": "2026-06-10T18:58:12.898Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }