Seth Michael Larson

20 exploits Active since Mar 2020
CVE-2026-4519 WRITEUP LOW WRITEUP
webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVSS 3.3
CVE-2025-13462 WRITEUP LOW WRITEUP
Python tarfile - Path Traversal
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
CVE-2020-26137 WRITEUP MEDIUM WRITEUP
Python Urllib3 < 1.25.9 - Injection
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVSS 6.5
CVE-2020-7212 WRITEUP HIGH WRITEUP
Python Urllib3 < 1.25.7 - Denial of Service
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
CVSS 7.5
CVE-2021-33503 WRITEUP HIGH WRITEUP
urllib3 <1.26.5 - DoS
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
CVSS 7.5
CVE-2023-43804 WRITEUP MEDIUM WRITEUP
urllib3 <1.26.17, <2.0.5 - Info Disclosure
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
CVSS 5.9
CVE-2024-3219 WRITEUP MEDIUM WRITEUP
socket - Connection Race
The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.
CVE-2024-6232 WRITEUP HIGH WRITEUP
CPython - ReDoS
There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVSS 7.5
CVE-2025-0938 WRITEUP MEDIUM WRITEUP
Python - SSRF
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
CVE-2025-11468 WRITEUP MEDIUM WRITEUP
Email Client - Info Disclosure
When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.
CVE-2025-15282 WRITEUP MEDIUM WRITEUP
urllib < - SSRF
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2025-15366 WRITEUP MEDIUM WRITEUP
imaplib - Command Injection
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
CVE-2025-15367 WRITEUP MEDIUM WRITEUP
poplib - Command Injection
The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
CVE-2025-4330 WRITEUP HIGH WRITEUP
Python TarFile < - Path Traversal
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
CVSS 7.5
CVE-2025-4435 WRITEUP HIGH WRITEUP
CPython TarFile - Incorrect Extraction with errorlevel=0
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.
CVSS 7.5
CVE-2025-50181 WRITEUP MEDIUM WRITEUP
urllib3 <2.5.0 - SSRF
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
CVSS 5.3
CVE-2026-0672 WRITEUP MEDIUM WRITEUP
http - Cookie Injection
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-0865 WRITEUP MEDIUM WRITEUP
Product < Version - SSRF
User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2026-1299 WRITEUP MEDIUM WRITEUP
Email module - Header Injection
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
CVE-2026-1703 WRITEUP LOW WRITEUP
Pypi Pip < 26.0 - Path Traversal
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.