Bitnami package

python-min

pkg:bitnami/python-min

Vulnerabilities (87)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-8328	Med	—	< 3.14.5	3.14.5	May 13, 2026	The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker
CVE-2026-7210	Cri	9.8	>= 0	—	May 11, 2026	`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying thi
CVE-2026-3087	Hig	7.5	< 3.14.5	3.14.5	Apr 27, 2026	If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
CVE-2026-6019	Med	6.1	< 3.14.5	3.14.5	Apr 22, 2026	http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow esc
CVE-2026-3298	Hig	—	>= 3.11.0	—	Apr 21, 2026	The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affe
CVE-2026-5713	Med	—	>= 3.15.0	—	Apr 14, 2026	The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected"
CVE-2026-4786	Hig	—	< 3.14.5	3.14.5	Apr 13, 2026	Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
CVE-2026-6100	Cri	—	< 3.14.5	3.14.5	Apr 13, 2026	Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The
CVE-2026-3446	Med	—	< 3.13.13	3.13.13	Apr 10, 2026	When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other impleme
CVE-2026-1502	Med	—	< 3.14.5	3.14.5	Apr 10, 2026	CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
CVE-2026-4519	Low	3.3	< 3.15.0	3.15.0	Mar 20, 2026	The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVE-2026-3479	Non	—	< 3.15.0	3.15.0	Mar 18, 2026	DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security mode
CVE-2026-4224	Med	—	< 3.13.13	3.13.13	Mar 16, 2026	When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.
CVE-2026-3644		—	< 3.15.0	3.15.0	Mar 16, 2026	The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), \|= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the ou
CVE-2025-13462	Low	—	< 3.15.0	3.15.0	Mar 12, 2026	The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to ot
CVE-2026-2297	Med	—	< 3.15.0	3.15.0	Mar 4, 2026	The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
CVE-2026-1299	Med	—	< 3.10.20	3.10.20	Jan 23, 2026	The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't
CVE-2025-12781		—	< 3.15.0	3.15.0	Jan 21, 2026	When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as
CVE-2026-0865	Med	—	< 3.10.20	3.10.20	Jan 20, 2026	User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2026-0672	Med	—	< 3.10.20	3.10.20	Jan 20, 2026	When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

CVE-2026-8328MedMay 13, 2026
affected < 3.14.5fixed 3.14.5
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker
CVE-2026-7210CriMay 11, 2026
affected >= 0
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying thi
CVE-2026-3087HigApr 27, 2026
affected < 3.14.5fixed 3.14.5
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
CVE-2026-6019MedApr 22, 2026
affected < 3.14.5fixed 3.14.5
http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow esc
CVE-2026-3298HigApr 21, 2026
affected >= 3.11.0
The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affe
CVE-2026-5713MedApr 14, 2026
affected >= 3.15.0
The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected"
CVE-2026-4786HigApr 13, 2026
affected < 3.14.5fixed 3.14.5
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
CVE-2026-6100CriApr 13, 2026
affected < 3.14.5fixed 3.14.5
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The
CVE-2026-3446MedApr 10, 2026
affected < 3.13.13fixed 3.13.13
When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other impleme
CVE-2026-1502MedApr 10, 2026
affected < 3.14.5fixed 3.14.5
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
CVE-2026-4519LowMar 20, 2026
affected < 3.15.0fixed 3.15.0
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVE-2026-3479NonMar 18, 2026
affected < 3.15.0fixed 3.15.0
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security mode
CVE-2026-4224MedMar 16, 2026
affected < 3.13.13fixed 3.13.13
When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.
CVE-2026-3644Mar 16, 2026
affected < 3.15.0fixed 3.15.0
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the ou
CVE-2025-13462LowMar 12, 2026
affected < 3.15.0fixed 3.15.0
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to ot
CVE-2026-2297MedMar 4, 2026
affected < 3.15.0fixed 3.15.0
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
CVE-2026-1299MedJan 23, 2026
affected < 3.10.20fixed 3.10.20
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't
CVE-2025-12781Jan 21, 2026
affected < 3.15.0fixed 3.15.0
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as
CVE-2026-0865MedJan 20, 2026
affected < 3.10.20fixed 3.10.20
User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2026-0672MedJan 20, 2026
affected < 3.10.20fixed 3.10.20
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Page 1 of 5