VYPR

rpm package

almalinux/python3.14-libs

pkg:rpm/almalinux/python3.14-libs

Vulnerabilities (10)

  • CVE-2026-6019MedApr 22, 2026
    affected < 3.14.5-1.el9_8fixed 3.14.5-1.el9_8

    http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow esc

  • CVE-2026-5713MedApr 14, 2026
    affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2

    The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected"

  • CVE-2026-4786HigApr 13, 2026
    affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2

    Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

  • CVE-2026-6100CriApr 13, 2026
    affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2

    Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The

  • CVE-2026-1502MedApr 10, 2026
    affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2

    CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

  • CVE-2026-4519LowMar 20, 2026
    affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2

    The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

  • CVE-2026-4224HigMar 16, 2026
    affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2

    When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

  • CVE-2026-3644HigMar 16, 2026
    affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2

    The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the ou

  • CVE-2026-2297MedMar 4, 2026
    affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2

    The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

  • CVE-2026-0865MedJan 20, 2026
    affected < 3.14.4-2.el10_2fixed 3.14.4-2.el10_2

    User-controlled header names and values containing newlines can allow injecting HTTP headers.