Vendor CVEs
Python (programming language)
All CVEs
310 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-1912 | 0.05 | — | 0.28 | Mar 1, 2014 | Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string. | |||
| CVE-2008-4864 | 0.05 | — | 0.21 | Nov 1, 2008 | Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer… | |||
| CVE-2021-28476 | 0.04 | — | 0.38 | May 11, 2021 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2014-4650 | 0.04 | — | 0.24 | Feb 20, 2020 | The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character… | |||
| CVE-2007-4965 | 0.04 | — | 0.12 | Sep 18, 2007 | Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and… | |||
| CVE-2007-2052 | 0.04 | — | 0.12 | Apr 16, 2007 | Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a… | |||
| CVE-2021-23336 | 0.03 | — | 0.36 | Feb 15, 2021 | The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking.… | |||
| CVE-2019-0709 | 0.03 | — | 0.04 | Jun 12, 2019 | A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating… | |||
| CVE-2011-1872 | 0.03 | — | 0.03 | Jun 16, 2011 | Hyper-V in Microsoft Windows Server 2008 Gold, SP2, R2, and R2 SP1 allows guest OS users to cause a denial of service (host OS infinite loop) via malformed machine instructions in a VMBus packet, aka "VMBus Persistent DoS Vulnerability." | |||
| CVE-2007-1657 | 0.03 | — | 0.05 | Mar 24, 2007 | Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument. | |||
| CVE-2024-23741 | 0.02 | — | 0.02 | Jan 28, 2024 | An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. | |||
| CVE-2023-24329 | 0.02 | — | 0.20 | Feb 17, 2023 | An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. | |||
| CVE-2021-3177 | 0.02 | — | 0.23 | Jan 19, 2021 | Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This… | |||
| CVE-2018-1000802 | Cri | 0.02 | 9.8 | 0.21 | Sep 18, 2018 | Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via… | ||
| CVE-2015-1283 | 0.02 | — | 0.19 | Jul 23, 2015 | Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via… | |||
| CVE-2013-0340 | 0.02 | — | 0.19 | Jan 21, 2014 | expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read… | |||
| CVE-2024-21407 | 0.01 | — | 0.16 | Mar 12, 2024 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2023-36407 | 0.01 | — | 0.02 | Nov 14, 2023 | Windows Hyper-V Elevation of Privilege Vulnerability | |||
| CVE-2022-48565 | 0.01 | — | 0.04 | Aug 22, 2023 | An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. | |||
| CVE-2022-35751 | 0.01 | — | 0.05 | May 31, 2023 | Windows Hyper-V Elevation of Privilege Vulnerability | |||
| CVE-2022-22042 | 0.01 | — | 0.02 | Jul 12, 2022 | Windows Hyper-V Information Disclosure Vulnerability | |||
| CVE-2021-3737 | 0.01 | — | 0.12 | Mar 4, 2022 | A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to… | |||
| CVE-2021-29921 | 0.01 | — | 0.07 | May 6, 2021 | In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses. | |||
| CVE-2020-27619 | 0.01 | — | 0.08 | Oct 22, 2020 | In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. | |||
| CVE-2020-0890 | 0.01 | — | 0.03 | Sep 11, 2020 | A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest… | |||
| CVE-2020-0909 | 0.01 | — | 0.04 | May 21, 2020 | A denial of service vulnerability exists when Hyper-V on a Windows Server fails to properly handle specially crafted network packets.To exploit the vulnerability, an attacker would send specially crafted network packets to the Hyper-V Server.The security update addresses the… | |||
| CVE-2020-8492 | 0.01 | — | 0.07 | Jan 30, 2020 | Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic… | |||
| CVE-2019-0722 | 0.01 | — | 0.05 | Jun 12, 2019 | A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating… | |||
| CVE-2019-9948 | 0.01 | — | 0.12 | Mar 23, 2019 | urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. | |||
| CVE-2019-9740 | 0.01 | — | 0.05 | Mar 13, 2019 | An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query… | |||
| CVE-2019-9636 | 0.01 | — | 0.09 | Mar 8, 2019 | Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The… | |||
| CVE-2014-3007 | 0.01 | — | 0.12 | Apr 27, 2014 | Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py. | |||
| CVE-2008-1887 | 0.01 | — | 0.06 | Apr 18, 2008 | Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers… | |||
| CVE-2026-11972 | 0.00 | — | 0.00 | Jun 23, 2026 | When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop. | |||
| CVE-2026-0864 | 0.00 | — | 0.00 | Jun 23, 2026 | When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value. | |||
| CVE-2026-3479 | Non | 0.00 | — | 0.00 | Mar 18, 2026 | DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security… | ||
| CVE-2025-12781 | 0.00 | — | 0.01 | Jan 21, 2026 | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as… | |||
| CVE-2025-6966 | 0.00 | — | 0.00 | Dec 5, 2025 | NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key. | |||
| CVE-2025-12084 | 0.00 | — | 0.01 | Dec 3, 2025 | When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | |||
| CVE-2025-13837 | 0.00 | — | 0.00 | Dec 1, 2025 | When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | |||
| CVE-2025-6075 | 0.00 | — | 0.00 | Oct 31, 2025 | If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. | |||
| CVE-2024-50649 | 0.00 | — | 0.01 | Nov 15, 2024 | The user avatar upload function in python_book V1.0 has an arbitrary file upload vulnerability. | |||
| CVE-2024-50650 | 0.00 | — | 0.01 | Nov 15, 2024 | python_book V1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter. | |||
| CVE-2024-9287 | 0.00 | — | 0.01 | Oct 22, 2024 | A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This… | |||
| CVE-2024-6232 | 0.00 | — | 0.02 | Sep 3, 2024 | There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. | |||
| CVE-2024-7592 | 0.00 | — | 0.02 | Aug 19, 2024 | There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting… | |||
| CVE-2024-20684 | 0.00 | — | 0.01 | Feb 13, 2024 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2024-20700 | 0.00 | — | 0.04 | Jan 9, 2024 | Windows Hyper-V Remote Code Execution Vulnerability | |||
| CVE-2024-20699 | 0.00 | — | 0.01 | Jan 9, 2024 | Windows Hyper-V Denial of Service Vulnerability | |||
| CVE-2023-6507 | 0.00 | — | 0.01 | Dec 8, 2023 | An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not… |
- CVE-2014-1912Mar 1, 2014risk 0.05cvss —epss 0.28
Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.
- CVE-2008-4864Nov 1, 2008risk 0.05cvss —epss 0.21
Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer…
- CVE-2021-28476May 11, 2021risk 0.04cvss —epss 0.38
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2014-4650Feb 20, 2020risk 0.04cvss —epss 0.24
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character…
- CVE-2007-4965Sep 18, 2007risk 0.04cvss —epss 0.12
Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and…
- CVE-2007-2052Apr 16, 2007risk 0.04cvss —epss 0.12
Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a…
- CVE-2021-23336Feb 15, 2021risk 0.03cvss —epss 0.36
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking.…
- CVE-2019-0709Jun 12, 2019risk 0.03cvss —epss 0.04
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating…
- CVE-2011-1872Jun 16, 2011risk 0.03cvss —epss 0.03
Hyper-V in Microsoft Windows Server 2008 Gold, SP2, R2, and R2 SP1 allows guest OS users to cause a denial of service (host OS infinite loop) via malformed machine instructions in a VMBus packet, aka "VMBus Persistent DoS Vulnerability."
- CVE-2007-1657Mar 24, 2007risk 0.03cvss —epss 0.05
Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument.
- CVE-2024-23741Jan 28, 2024risk 0.02cvss —epss 0.02
An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.
- CVE-2023-24329Feb 17, 2023risk 0.02cvss —epss 0.20
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
- CVE-2021-3177Jan 19, 2021risk 0.02cvss —epss 0.23
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This…
- risk 0.02cvss 9.8epss 0.21
Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via…
- CVE-2015-1283Jul 23, 2015risk 0.02cvss —epss 0.19
Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via…
- CVE-2013-0340Jan 21, 2014risk 0.02cvss —epss 0.19
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read…
- CVE-2024-21407Mar 12, 2024risk 0.01cvss —epss 0.16
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2023-36407Nov 14, 2023risk 0.01cvss —epss 0.02
Windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2022-48565Aug 22, 2023risk 0.01cvss —epss 0.04
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
- CVE-2022-35751May 31, 2023risk 0.01cvss —epss 0.05
Windows Hyper-V Elevation of Privilege Vulnerability
- CVE-2022-22042Jul 12, 2022risk 0.01cvss —epss 0.02
Windows Hyper-V Information Disclosure Vulnerability
- CVE-2021-3737Mar 4, 2022risk 0.01cvss —epss 0.12
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to…
- CVE-2021-29921May 6, 2021risk 0.01cvss —epss 0.07
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
- CVE-2020-27619Oct 22, 2020risk 0.01cvss —epss 0.08
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
- CVE-2020-0890Sep 11, 2020risk 0.01cvss —epss 0.03
A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest…
- CVE-2020-0909May 21, 2020risk 0.01cvss —epss 0.04
A denial of service vulnerability exists when Hyper-V on a Windows Server fails to properly handle specially crafted network packets.To exploit the vulnerability, an attacker would send specially crafted network packets to the Hyper-V Server.The security update addresses the…
- CVE-2020-8492Jan 30, 2020risk 0.01cvss —epss 0.07
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic…
- CVE-2019-0722Jun 12, 2019risk 0.01cvss —epss 0.05
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating…
- CVE-2019-9948Mar 23, 2019risk 0.01cvss —epss 0.12
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
- CVE-2019-9740Mar 13, 2019risk 0.01cvss —epss 0.05
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query…
- CVE-2019-9636Mar 8, 2019risk 0.01cvss —epss 0.09
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The…
- CVE-2014-3007Apr 27, 2014risk 0.01cvss —epss 0.12
Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.
- CVE-2008-1887Apr 18, 2008risk 0.01cvss —epss 0.06
Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers…
- CVE-2026-11972Jun 23, 2026risk 0.00cvss —epss 0.00
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop.
- CVE-2026-0864Jun 23, 2026risk 0.00cvss —epss 0.00
When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.
- risk 0.00cvss —epss 0.00
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security…
- CVE-2025-12781Jan 21, 2026risk 0.00cvss —epss 0.01
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as…
- CVE-2025-6966Dec 5, 2025risk 0.00cvss —epss 0.00
NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.
- CVE-2025-12084Dec 3, 2025risk 0.00cvss —epss 0.01
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
- CVE-2025-13837Dec 1, 2025risk 0.00cvss —epss 0.00
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
- CVE-2025-6075Oct 31, 2025risk 0.00cvss —epss 0.00
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
- CVE-2024-50649Nov 15, 2024risk 0.00cvss —epss 0.01
The user avatar upload function in python_book V1.0 has an arbitrary file upload vulnerability.
- CVE-2024-50650Nov 15, 2024risk 0.00cvss —epss 0.01
python_book V1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter.
- CVE-2024-9287Oct 22, 2024risk 0.00cvss —epss 0.01
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This…
- CVE-2024-6232Sep 3, 2024risk 0.00cvss —epss 0.02
There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
- CVE-2024-7592Aug 19, 2024risk 0.00cvss —epss 0.02
There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting…
- CVE-2024-20684Feb 13, 2024risk 0.00cvss —epss 0.01
Windows Hyper-V Denial of Service Vulnerability
- CVE-2024-20700Jan 9, 2024risk 0.00cvss —epss 0.04
Windows Hyper-V Remote Code Execution Vulnerability
- CVE-2024-20699Jan 9, 2024risk 0.00cvss —epss 0.01
Windows Hyper-V Denial of Service Vulnerability
- CVE-2023-6507Dec 8, 2023risk 0.00cvss —epss 0.01
An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not…
Page 3 of 7