VYPR

apk package

chainguard/py3-cassandra-medusa

pkg:apk/chainguard/py3-cassandra-medusa

Vulnerabilities (72)

  • CVE-2026-30922HigMar 18, 2026
    affected < 0.27.0-r5fixed 0.27.0-r5

    pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousa

  • CVE-2026-27459Mar 17, 2026
    affected < 0.27.0-r5fixed 0.27.0-r5

    pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Sta

  • CVE-2026-27448Mar 17, 2026
    affected < 0.27.0-r5fixed 0.27.0-r5

    pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying

  • CVE-2026-32597HigMar 13, 2026
    affected < 0.27.0-r5fixed 0.27.0-r5

    PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token i

  • CVE-2026-26007Feb 10, 2026
    affected < 0.27.0-r4fixed 0.27.0-r4

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke

  • CVE-2026-1703LowFeb 2, 2026
    affected < 0.29.0-r4fixed 0.29.0-r4

    When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat

  • CVE-2026-0994HigJan 23, 2026
    affected < 0.27.1-r0fixed 0.27.1-r0

    A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l

  • CVE-2025-71176MedJan 22, 2026
    affected < 0.28.0-r0fixed 0.28.0-r0

    pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

  • CVE-2026-23949Jan 20, 2026
    affected < 0.27.0-r2fixed 0.27.0-r2

    jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta

  • CVE-2026-23490Jan 16, 2026
    affected < 0.27.0-r2fixed 0.27.0-r2

    pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

  • CVE-2026-21226Jan 13, 2026
    affected < 0.27.0-r2fixed 0.27.0-r2

    Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.

  • CVE-2026-22702Jan 10, 2026
    affected < 0.27.0-r2fixed 0.27.0-r2

    virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local acces

  • CVE-2026-22701Jan 10, 2026
    affected < 0.27.0-r1fixed 0.27.0-r1

    filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race

  • CVE-2026-21441Jan 7, 2026
    affected < 0.28.0-r1fixed 0.28.0-r1

    urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b

  • CVE-2025-69230Jan 5, 2026
    affected < 0.26.0-r3fixed 0.26.0-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w

  • CVE-2025-69229Jan 5, 2026
    affected < 0.26.0-r3fixed 0.26.0-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method

  • CVE-2025-69228Jan 5, 2026
    affected < 0.26.0-r3fixed 0.26.0-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ

  • CVE-2025-69227Jan 5, 2026
    affected < 0.26.0-r3fixed 0.26.0-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI

  • CVE-2025-69225Jan 5, 2026
    affected < 0.26.0-r3fixed 0.26.0-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi

  • CVE-2025-69226Jan 5, 2026
    affected < 0.26.0-r3fixed 0.26.0-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica