Python
by Python (programming language)
Source repositories
CVEs (183)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-5642 | Med | 0.35 | 6.5 | 0.01 | Jun 27, 2024 | CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of… | ||
| CVE-2026-3276 | Med | 0.34 | — | 0.00 | Jun 3, 2026 | unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms. | ||
| CVE-2025-0938 | Med | 0.34 | — | 0.01 | Jan 31, 2025 | The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This… | ||
| CVE-2023-27043 | Med | 0.34 | 5.3 | 0.03 | Apr 19, 2023 | The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which… | ||
| CVE-2026-6019 | Med | 0.33 | 6.1 | 0.00 | Apr 22, 2026 | http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow… | ||
| CVE-2024-0450 | Med | 0.33 | 6.2 | 0.00 | Mar 19, 2024 | An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The… | ||
| CVE-2026-3446 | Med | 0.32 | — | 0.00 | Apr 10, 2026 | When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other… | ||
| CVE-2026-0672 | Med | 0.32 | — | 0.00 | Jan 20, 2026 | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | ||
| CVE-2025-15282 | Med | 0.32 | — | 0.00 | Jan 20, 2026 | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | ||
| CVE-2026-8328 | Med | 0.31 | — | 0.00 | May 13, 2026 | The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw… | ||
| CVE-2026-0865 | Med | 0.31 | — | 0.00 | Jan 20, 2026 | User-controlled header names and values containing newlines can allow injecting HTTP headers. | ||
| CVE-2025-15367 | Med | 0.31 | — | 0.00 | Jan 20, 2026 | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | ||
| CVE-2025-15366 | Med | 0.31 | — | 0.00 | Jan 20, 2026 | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | ||
| CVE-2025-4516 | Med | 0.31 | — | 0.00 | May 15, 2025 | There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap… | ||
| CVE-2026-1502 | Med | 0.30 | — | 0.00 | Apr 10, 2026 | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | ||
| CVE-2026-2297 | Med | 0.30 | — | 0.00 | Mar 4, 2026 | The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. | ||
| CVE-2025-11468 | Med | 0.30 | — | 0.01 | Jan 20, 2026 | When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. | ||
| CVE-2024-6923 | Med | 0.29 | 5.5 | 0.01 | Aug 1, 2024 | There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. | ||
| CVE-2025-8291 | Med | 0.28 | 4.3 | 0.00 | Oct 7, 2025 | The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could… | ||
| CVE-2024-12718 | Med | 0.28 | 5.3 | 0.01 | Jun 3, 2025 | Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using… |
- risk 0.35cvss 6.5epss 0.01
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of…
- risk 0.34cvss —epss 0.00
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
- risk 0.34cvss —epss 0.01
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This…
- risk 0.34cvss 5.3epss 0.03
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which…
- risk 0.33cvss 6.1epss 0.00
http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow…
- risk 0.33cvss 6.2epss 0.00
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The…
- risk 0.32cvss —epss 0.00
When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other…
- risk 0.32cvss —epss 0.00
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
- risk 0.32cvss —epss 0.00
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
- risk 0.31cvss —epss 0.00
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw…
- risk 0.31cvss —epss 0.00
User-controlled header names and values containing newlines can allow injecting HTTP headers.
- risk 0.31cvss —epss 0.00
The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
- risk 0.31cvss —epss 0.00
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
- risk 0.31cvss —epss 0.00
There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap…
- risk 0.30cvss —epss 0.00
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
- risk 0.30cvss —epss 0.00
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
- risk 0.30cvss —epss 0.01
When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.
- risk 0.29cvss 5.5epss 0.01
There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
- risk 0.28cvss 4.3epss 0.00
The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could…
- risk 0.28cvss 5.3epss 0.01
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using…
Page 3 of 10