| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-6019 | BaseCookie.js_output() does not neutralize embedded characters | Python Software Foundation | CPython | - | - | 2026-04-22 19:28:09 | Deep Dive |
| CVE-2026-3298 | Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes | Python Software Foundation | CPython | - | - | 2026-04-21 14:45:02 | Deep Dive |
| CVE-2026-5713 | Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target | Python Software Foundation | CPython | 中危 | - | 2026-04-14 15:11:51 | Deep Dive |
| CVE-2026-4786 | Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() | Python Software Foundation | CPython | 高危 | - | 2026-04-13 21:52:19 | Deep Dive |
| CVE-2026-6100 | Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure | Python Software Foundation | CPython | 高危 | - | 2026-04-13 17:15:48 | Deep Dive |
| CVE-2026-3446 | Base64 decoding stops at first padded quad by default | Python Software Foundation | CPython | - | - | 2026-04-10 18:17:35 | Deep Dive |
| CVE-2026-1502 | HTTP client proxy tunnel headers not validated for CR/LF | Python Software Foundation | CPython | - | - | 2026-04-10 17:54:44 | Deep Dive |
| CVE-2026-4519 | webbrowser.open() allows leading dashes in URLs | Python Software Foundation | CPython | 高危 | - | 2026-03-20 15:08:33 | Deep Dive |
| CVE-2026-3479 | pkgutil.get_data() does not enforce documented restrictions | Python Software Foundation | CPython | 低危 | - | 2026-03-18 18:13:42 | Deep Dive |
| CVE-2026-4224 | Stack overflow parsing XML with deeply nested DTD content models | Python Software Foundation | CPython | 中危 | - | 2026-03-16 17:52:27 | Deep Dive |
| CVE-2026-3644 | Incomplete control character validation in http.cookies | Python Software Foundation | CPython | 中危 | - | 2026-03-16 17:37:31 | Deep Dive |
| CVE-2025-13462 | tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling | Python Software Foundation | CPython | - | - | 2026-03-12 17:59:27 | Deep Dive |
| CVE-2026-2297 | SourcelessFileLoader does not use io.open_code() | Python Software Foundation | CPython | 低危 | - | 2026-03-04 22:10:43 | Deep Dive |
| CVE-2026-1299 | email BytesGenerator header injection due to unquoted newlines | Python Software Foundation | CPython | 高危 | - | 2026-01-23 16:27:13 | Deep Dive |
| CVE-2025-12781 | base64.b64decode() always accepts "+/" characters, despite setting altchars | Python Software Foundation | CPython | - | - | 2026-01-21 19:34:48 | Deep Dive |
| CVE-2026-0672 | Header injection in http.cookies.Morsel | Python Software Foundation | CPython | - | - | 2026-01-20 21:52:34 | Deep Dive |
| CVE-2025-15367 | POP3 command injection in user-controlled commands | Python Software Foundation | CPython | - | - | 2026-01-20 21:47:10 | Deep Dive |
| CVE-2025-15366 | IMAP command injection in user-controlled commands | Python Software Foundation | CPython | - | - | 2026-01-20 21:40:25 | Deep Dive |
| CVE-2025-15282 | Header injection via newlines in data URL mediatype | Python Software Foundation | CPython | - | - | 2026-01-20 21:35:14 | Deep Dive |
| CVE-2026-0865 | wsgiref.headers.Headers allows header newline injection | Python Software Foundation | CPython | - | - | 2026-01-20 21:26:15 | Deep Dive |