VYPR

Vendor CVEs

Python (programming language)

All CVEs

310 total · sorted by risk
  • CVE-2014-1912Mar 1, 2014
    risk 0.05cvss epss 0.28

    Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.

  • CVE-2008-4864Nov 1, 2008
    risk 0.05cvss epss 0.21

    Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer…

  • CVE-2021-28476May 11, 2021
    risk 0.04cvss epss 0.38

    Windows Hyper-V Remote Code Execution Vulnerability

  • CVE-2014-4650Feb 20, 2020
    risk 0.04cvss epss 0.24

    The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character…

  • CVE-2007-4965Sep 18, 2007
    risk 0.04cvss epss 0.12

    Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and…

  • CVE-2007-2052Apr 16, 2007
    risk 0.04cvss epss 0.12

    Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a…

  • CVE-2021-23336Feb 15, 2021
    risk 0.03cvss epss 0.36

    The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking.…

  • CVE-2019-0709Jun 12, 2019
    risk 0.03cvss epss 0.04

    A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating…

  • CVE-2011-1872Jun 16, 2011
    risk 0.03cvss epss 0.03

    Hyper-V in Microsoft Windows Server 2008 Gold, SP2, R2, and R2 SP1 allows guest OS users to cause a denial of service (host OS infinite loop) via malformed machine instructions in a VMBus packet, aka "VMBus Persistent DoS Vulnerability."

  • CVE-2007-1657Mar 24, 2007
    risk 0.03cvss epss 0.05

    Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument.

  • CVE-2024-23741Jan 28, 2024
    risk 0.02cvss epss 0.02

    An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.

  • CVE-2023-24329Feb 17, 2023
    risk 0.02cvss epss 0.20

    An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

  • CVE-2021-3177Jan 19, 2021
    risk 0.02cvss epss 0.23

    Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This…

  • CVE-2018-1000802CriSep 18, 2018
    risk 0.02cvss 9.8epss 0.21

    Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via…

  • CVE-2015-1283Jul 23, 2015
    risk 0.02cvss epss 0.19

    Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via…

  • CVE-2013-0340Jan 21, 2014
    risk 0.02cvss epss 0.19

    expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read…

  • CVE-2024-21407Mar 12, 2024
    risk 0.01cvss epss 0.16

    Windows Hyper-V Remote Code Execution Vulnerability

  • CVE-2023-36407Nov 14, 2023
    risk 0.01cvss epss 0.02

    Windows Hyper-V Elevation of Privilege Vulnerability

  • CVE-2022-48565Aug 22, 2023
    risk 0.01cvss epss 0.04

    An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

  • CVE-2022-35751May 31, 2023
    risk 0.01cvss epss 0.05

    Windows Hyper-V Elevation of Privilege Vulnerability

  • CVE-2022-22042Jul 12, 2022
    risk 0.01cvss epss 0.02

    Windows Hyper-V Information Disclosure Vulnerability

  • CVE-2021-3737Mar 4, 2022
    risk 0.01cvss epss 0.12

    A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to…

  • CVE-2021-29921May 6, 2021
    risk 0.01cvss epss 0.07

    In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

  • CVE-2020-27619Oct 22, 2020
    risk 0.01cvss epss 0.08

    In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.

  • CVE-2020-0890Sep 11, 2020
    risk 0.01cvss epss 0.03

    A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest…

  • CVE-2020-0909May 21, 2020
    risk 0.01cvss epss 0.04

    A denial of service vulnerability exists when Hyper-V on a Windows Server fails to properly handle specially crafted network packets.To exploit the vulnerability, an attacker would send specially crafted network packets to the Hyper-V Server.The security update addresses the…

  • CVE-2020-8492Jan 30, 2020
    risk 0.01cvss epss 0.07

    Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic…

  • CVE-2019-0722Jun 12, 2019
    risk 0.01cvss epss 0.05

    A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating…

  • CVE-2019-9948Mar 23, 2019
    risk 0.01cvss epss 0.12

    urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

  • CVE-2019-9740Mar 13, 2019
    risk 0.01cvss epss 0.05

    An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query…

  • CVE-2019-9636Mar 8, 2019
    risk 0.01cvss epss 0.09

    Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The…

  • CVE-2014-3007Apr 27, 2014
    risk 0.01cvss epss 0.12

    Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.

  • CVE-2008-1887Apr 18, 2008
    risk 0.01cvss epss 0.06

    Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers…

  • CVE-2026-11972Jun 23, 2026
    risk 0.00cvss epss 0.00

    When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop.

  • CVE-2026-0864Jun 23, 2026
    risk 0.00cvss epss 0.00

    When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.

  • CVE-2026-3479NonMar 18, 2026
    risk 0.00cvss epss 0.00

    DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security…

  • CVE-2025-12781Jan 21, 2026
    risk 0.00cvss epss 0.01

    When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as…

  • CVE-2025-6966Dec 5, 2025
    risk 0.00cvss epss 0.00

    NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.

  • CVE-2025-12084Dec 3, 2025
    risk 0.00cvss epss 0.01

    When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

  • CVE-2025-13837Dec 1, 2025
    risk 0.00cvss epss 0.00

    When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

  • CVE-2025-6075Oct 31, 2025
    risk 0.00cvss epss 0.00

    If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

  • CVE-2024-50649Nov 15, 2024
    risk 0.00cvss epss 0.01

    The user avatar upload function in python_book V1.0 has an arbitrary file upload vulnerability.

  • CVE-2024-50650Nov 15, 2024
    risk 0.00cvss epss 0.01

    python_book V1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter.

  • CVE-2024-9287Oct 22, 2024
    risk 0.00cvss epss 0.01

    A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This…

  • CVE-2024-6232Sep 3, 2024
    risk 0.00cvss epss 0.02

    There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

  • CVE-2024-7592Aug 19, 2024
    risk 0.00cvss epss 0.02

    There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting…

  • CVE-2024-20684Feb 13, 2024
    risk 0.00cvss epss 0.01

    Windows Hyper-V Denial of Service Vulnerability

  • CVE-2024-20700Jan 9, 2024
    risk 0.00cvss epss 0.04

    Windows Hyper-V Remote Code Execution Vulnerability

  • CVE-2024-20699Jan 9, 2024
    risk 0.00cvss epss 0.01

    Windows Hyper-V Denial of Service Vulnerability

  • CVE-2023-6507Dec 8, 2023
    risk 0.00cvss epss 0.01

    An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not…

Page 3 of 7