Miss Islington (bot)

125 exploits Active since Jun 2019
CVE-2025-13837 WRITEUP MEDIUM WRITEUP
Python < 3.13.10 - Denial of Service via plistlib Malicious File Size Handling
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
CVSS 5.5
CVE-2025-15282 WRITEUP MEDIUM WRITEUP
Python urllib.request - Data URL Header Injection
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2025-8291 WRITEUP MEDIUM WRITEUP
CPython <3.9.24, 3.10.0-3.10.18, 3.11.0-3.11.13, 3.12.0-3.12.11, 3.13.0-3.13.9, 3.14.0 - ZIP64 EOCD Validation Bypass
The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.
CVSS 4.3
CVE-2026-0672 WRITEUP MEDIUM WRITEUP
CPython HTTP Header Injection via http.cookies.Morsel
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-1299 WRITEUP MEDIUM WRITEUP
CPython email module - CRLF Injection in BytesGenerator Header Serialization
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
CVE-2025-4516 WRITEUP MEDIUM WRITEUP
CPython - Info Disclosure
There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.
CVE-2025-6069 WRITEUP MEDIUM WRITEUP
CPython < 3.9.24, 3.10.0-3.10.18, 3.11.0-3.11.13, 3.12.0-3.12.11, 3.13.0-3.13.5, 3.14.0a1-3.14.0b2 - DoS via HTML Parser
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
CVSS 4.3
CVE-2025-8194 WRITEUP HIGH WRITEUP
CPython TarFile Extraction Infinite Loop Vulnerability
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
CVSS 7.5
CVE-2025-8291 WRITEUP MEDIUM WRITEUP
CPython <3.9.24, 3.10.0-3.10.18, 3.11.0-3.11.13, 3.12.0-3.12.11, 3.13.0-3.13.9, 3.14.0 - ZIP64 EOCD Validation Bypass
The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.
CVSS 4.3
CVE-2026-0672 WRITEUP MEDIUM WRITEUP
CPython HTTP Header Injection via http.cookies.Morsel
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2025-8194 WRITEUP HIGH WRITEUP
CPython TarFile Extraction Infinite Loop Vulnerability
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
CVSS 7.5
CVE-2026-4519 WRITEUP LOW WRITEUP
webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVSS 3.3
CVE-2026-4786 WRITEUP HIGH WRITEUP
Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
CVE-2026-0672 WRITEUP MEDIUM WRITEUP
CPython HTTP Header Injection via http.cookies.Morsel
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-2297 WRITEUP MEDIUM WRITEUP
CPython < 3.15.0a7 - Unprotected User Data Exposure via SourcelessFileLoader Import Hook
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
CVE-2026-3479 WRITEUP NONE WRITEUP
pkgutil.get_data() does not enforce documented restrictions
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
CVE-2026-4786 WRITEUP HIGH WRITEUP
Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
CVE-2026-0865 WRITEUP MEDIUM WRITEUP
Python CPython - HTTP Header Injection
User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2026-2297 WRITEUP MEDIUM WRITEUP
CPython < 3.15.0a7 - Unprotected User Data Exposure via SourcelessFileLoader Import Hook
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
CVE-2026-3644 WRITEUP HIGH WRITEUP
Incomplete control character validation in http.cookies
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
CVSS 7.5
CVE-2026-4224 WRITEUP HIGH WRITEUP
Stack overflow parsing XML with deeply nested DTD content models
When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.
CVSS 7.5
CVE-2026-4519 WRITEUP LOW WRITEUP
webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVSS 3.3
CVE-2026-6100 WRITEUP CRITICAL WRITEUP
Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
CVE-2026-6019 WRITEUP MEDIUM WRITEUP
BaseCookie.js_output() does not neutralize embedded characters
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
CVSS 6.1
CVE-2026-2297 WRITEUP MEDIUM WRITEUP
CPython < 3.15.0a7 - Unprotected User Data Exposure via SourcelessFileLoader Import Hook
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.