VYPR

apk package

wolfi/py3-cassandra-medusa

pkg:apk/wolfi/py3-cassandra-medusa

Vulnerabilities (68)

  • CVE-2026-42305HigJun 10, 2026
    affected < 0.29.0-r0fixed 0.29.0-r0

    Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element

  • CVE-2026-45409MedJun 5, 2026
    affected < 0.29.0-r2fixed 0.29.0-r2

    Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t

  • CVE-2026-44432HigMay 13, 2026
    affected < 0.29.0-r2fixed 0.29.0-r2

    urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w

  • CVE-2026-44431MedMay 13, 2026
    affected < 0.29.0-r2fixed 0.29.0-r2

    urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

  • CVE-2026-39892CriApr 8, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner

  • CVE-2026-34591MedApr 2, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrus

  • CVE-2026-34525MedApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

  • CVE-2026-34520CriApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.

  • CVE-2026-34519MedApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

  • CVE-2026-34518MedApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in

  • CVE-2026-34517MedApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.

  • CVE-2026-34516HigApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched

  • CVE-2026-34515HigApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.

  • CVE-2026-34514MedApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

  • CVE-2026-34513HigApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.

  • CVE-2026-22815HigApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.

  • CVE-2026-34073MedMar 31, 2026
    affected < 0.27.0-r6fixed 0.27.0-r6

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently

  • CVE-2026-25645Mar 25, 2026
    affected < 0.28.0-r1fixed 0.28.0-r1

    Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid

  • CVE-2026-30922HigMar 18, 2026
    affected < 0.27.0-r5fixed 0.27.0-r5

    pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousa

  • CVE-2026-27459Mar 17, 2026
    affected < 0.27.0-r5fixed 0.27.0-r5

    pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Sta

Page 1 of 4