VYPR

Python

by Python (programming language)

Source repositories

CVEs (183)

  • CVE-2024-5642MedJun 27, 2024
    risk 0.35cvss 6.5epss 0.01

    CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of…

  • CVE-2026-3276MedJun 3, 2026
    risk 0.34cvss epss 0.00

    unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

  • CVE-2025-0938MedJan 31, 2025
    risk 0.34cvss epss 0.01

    The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This…

  • CVE-2023-27043MedApr 19, 2023
    risk 0.34cvss 5.3epss 0.03

    The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which…

  • CVE-2026-6019MedApr 22, 2026
    risk 0.33cvss 6.1epss 0.00

    http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow…

  • CVE-2024-0450MedMar 19, 2024
    risk 0.33cvss 6.2epss 0.00

    An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The…

  • CVE-2026-3446MedApr 10, 2026
    risk 0.32cvss epss 0.00

    When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other…

  • CVE-2026-0672MedJan 20, 2026
    risk 0.32cvss epss 0.00

    When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

  • CVE-2025-15282MedJan 20, 2026
    risk 0.32cvss epss 0.00

    User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

  • CVE-2026-8328MedMay 13, 2026
    risk 0.31cvss epss 0.00

    The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw…

  • CVE-2026-0865MedJan 20, 2026
    risk 0.31cvss epss 0.00

    User-controlled header names and values containing newlines can allow injecting HTTP headers.

  • CVE-2025-15367MedJan 20, 2026
    risk 0.31cvss epss 0.00

    The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

  • CVE-2025-15366MedJan 20, 2026
    risk 0.31cvss epss 0.00

    The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

  • CVE-2025-4516MedMay 15, 2025
    risk 0.31cvss epss 0.00

    There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap…

  • CVE-2026-1502MedApr 10, 2026
    risk 0.30cvss epss 0.00

    CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

  • CVE-2026-2297MedMar 4, 2026
    risk 0.30cvss epss 0.00

    The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

  • CVE-2025-11468MedJan 20, 2026
    risk 0.30cvss epss 0.01

    When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

  • CVE-2024-6923MedAug 1, 2024
    risk 0.29cvss 5.5epss 0.01

    There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

  • CVE-2025-8291MedOct 7, 2025
    risk 0.28cvss 4.3epss 0.00

    The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could…

  • CVE-2024-12718MedJun 3, 2025
    risk 0.28cvss 5.3epss 0.01

    Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using…

Page 3 of 10