rpm package
almalinux/python3.14-devel
pkg:rpm/almalinux/python3.14-devel
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-6019 | Med | 6.1 | < 3.14.5-1.el9_8 | 3.14.5-1.el9_8 | Apr 22, 2026 | http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow esc | |
| CVE-2026-5713 | Med | — | < 3.14.4-2.el10_2 | 3.14.4-2.el10_2 | Apr 14, 2026 | The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" | |
| CVE-2026-4786 | Hig | — | < 3.14.4-2.el10_2 | 3.14.4-2.el10_2 | Apr 13, 2026 | Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details. | |
| CVE-2026-6100 | Cri | — | < 3.14.4-2.el10_2 | 3.14.4-2.el10_2 | Apr 13, 2026 | Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The | |
| CVE-2026-1502 | Med | — | < 3.14.4-2.el10_2 | 3.14.4-2.el10_2 | Apr 10, 2026 | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | |
| CVE-2026-4519 | Low | 3.3 | < 3.14.4-2.el10_2 | 3.14.4-2.el10_2 | Mar 20, 2026 | The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). | |
| CVE-2026-4224 | Hig | 7.5 | < 3.14.4-2.el10_2 | 3.14.4-2.el10_2 | Mar 16, 2026 | When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. | |
| CVE-2026-3644 | Hig | 7.5 | < 3.14.4-2.el10_2 | 3.14.4-2.el10_2 | Mar 16, 2026 | The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the ou | |
| CVE-2026-2297 | Med | — | < 3.14.4-2.el10_2 | 3.14.4-2.el10_2 | Mar 4, 2026 | The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. | |
| CVE-2026-0865 | Med | — | < 3.14.4-2.el10_2 | 3.14.4-2.el10_2 | Jan 20, 2026 | User-controlled header names and values containing newlines can allow injecting HTTP headers. |
- affected < 3.14.5-1.el9_8fixed 3.14.5-1.el9_8
http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow esc
- affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2
The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected"
- affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
- affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The
- affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
- affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
- affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2
When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.
- affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the ou
- affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
- affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2
User-controlled header names and values containing newlines can allow injecting HTTP headers.