Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

Python Software Foundation — Vulnerabilities & Security Advisories 63

Browse all 63 CVE security advisories affecting Python Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Python Software Foundation (PSF) is a non-profit organization dedicated to protecting and advancing the Python programming language while supporting and facilitating the growth of a diverse global community of developers. As the steward of the official Python distribution, its core business involves maintaining the integrity of the interpreter and standard library, which are foundational to countless enterprise and scientific applications. Historically, vulnerabilities associated with the PSF’s maintained codebase have frequently involved memory corruption issues, such as buffer overflows, and logic flaws leading to privilege escalation or remote code execution (RCE) within the interpreter itself. While the PSF does not host third-party packages, its official releases have occasionally been targeted by supply chain attacks or misconfigurations in associated infrastructure. Notable incidents include critical flaws in the SSL/TLS handling and integer overflow bugs in the standard library, prompting rigorous security audits and rapid patch cycles to mitigate risks for the vast ecosystem relying on Python’s core infrastructure.

Top products by Python Software Foundation: CPython pymanager
CVE IDTitleCVSSSeverityPublished
CVE-2026-11972 tarfile opened in streaming mode mishandles EOF — CPythonCWE-252--2026-06-23
CVE-2026-0864 Configuration Injection via Carriage Return (\r) in write() method — CPython--2026-06-23
CVE-2026-11940 tarfile extraction filter bypass allows escaping the destination directory — CPythonCWE-22--2026-06-23
CVE-2026-12003 CPython >3.11 Insecure Input Validation resulting in privilege escalation — CPythonCWE-427--2026-06-16
CVE-2026-9669 bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow — CPythonCWE-121--2026-06-08
CVE-2026-7774 tarfile.data_filter path traversal bypass allows writing outside the extraction directory — CPythonCWE-22--2026-06-04
CVE-2026-3276 Potential DoS via quadratic complexity in unicodedata.normalize() — CPythonCWE-407--2026-06-03
CVE-2026-8328 FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address — CPythonCWE-918--2026-05-13
CVE-2026-7210 The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection — CPythonCWE-331--2026-05-11
CVE-2026-3087 shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs — CPythonCWE-22 6.2AIMediumAI2026-04-27
CVE-2026-6019 BaseCookie.js_output() does not neutralize embedded characters — CPythonCWE-150 6.1AIMediumAI2026-04-22
CVE-2026-3298 Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes — CPythonCWE-787 8.8AIHighAI2026-04-21
CVE-2026-5713 Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target — CPythonCWE-121 9.1 -2026-04-14
CVE-2026-4786 Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() — CPythonCWE-77 9.8 -2026-04-13
CVE-2026-6100 Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure — CPythonCWE-416 8.4 -2026-04-13
CVE-2026-3446 Base64 decoding stops at first padded quad by default — CPython 8.2AIHighAI2026-04-10
CVE-2026-1502 HTTP client proxy tunnel headers not validated for CR/LF — CPython 7.5AIHighAI2026-04-10
CVE-2026-5271 Possible to hijack modules in current working directory — pymanager 8.4AIHighAI2026-04-01
CVE-2026-4519 webbrowser.open() allows leading dashes in URLs — CPython 8.2 -2026-03-20
CVE-2026-3479 pkgutil.get_data() does not enforce documented restrictions — CPython 7.5 -2026-03-18
CVE-2026-4224 Stack overflow parsing XML with deeply nested DTD content models — CPython 9.8 -2026-03-16
CVE-2026-3644 Incomplete control character validation in http.cookies — CPython 9.8 -2026-03-16
CVE-2025-13462 tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling — CPython 6.5AIMediumAI2026-03-12
CVE-2026-2297 SourcelessFileLoader does not use io.open_code() — CPython 8.2 -2026-03-04
CVE-2026-1299 email BytesGenerator header injection due to unquoted newlines — CPythonCWE-93 4.3 -2026-01-23
CVE-2025-12781 base64.b64decode() always accepts "+/" characters, despite setting altchars — CPython 7.5AIHighAI2026-01-21
CVE-2026-0672 Header injection in http.cookies.Morsel — CPythonCWE-93 4.3AIMediumAI2026-01-20
CVE-2025-15367 POP3 command injection in user-controlled commands — CPythonCWE-77 9.8AICriticalAI2026-01-20
CVE-2025-15366 IMAP command injection in user-controlled commands — CPythonCWE-77 9.8AICriticalAI2026-01-20
CVE-2025-15282 Header injection via newlines in data URL mediatype — CPythonCWE-93 5.3AIMediumAI2026-01-20

This page lists every published CVE security advisory associated with Python Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.