Seth Michael Larson

113 exploits Active since Mar 2020
CVE-2026-4519 WRITEUP LOW WRITEUP
webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVSS 3.3
CVE-2026-0672 WRITEUP MEDIUM WRITEUP
CPython HTTP Header Injection via http.cookies.Morsel
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-0865 WRITEUP MEDIUM WRITEUP
Python CPython - HTTP Header Injection
User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2026-1299 WRITEUP MEDIUM WRITEUP
CPython email module - CRLF Injection in BytesGenerator Header Serialization
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
CVE-2025-13462 WRITEUP LOW WRITEUP
CPython Tarfile Archive Misinterpretation via AREGTYPE Block Normalization
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
CVSS 3.3
CVE-2026-4519 WRITEUP LOW WRITEUP
webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVSS 3.3
CVE-2026-0672 WRITEUP MEDIUM WRITEUP
CPython HTTP Header Injection via http.cookies.Morsel
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-0865 WRITEUP MEDIUM WRITEUP
Python CPython - HTTP Header Injection
User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2026-1299 WRITEUP MEDIUM WRITEUP
CPython email module - CRLF Injection in BytesGenerator Header Serialization
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
CVE-2025-13462 WRITEUP LOW WRITEUP
CPython Tarfile Archive Misinterpretation via AREGTYPE Block Normalization
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
CVSS 3.3
CVE-2026-4519 WRITEUP LOW WRITEUP
webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVSS 3.3
CVE-2026-0672 WRITEUP MEDIUM WRITEUP
CPython HTTP Header Injection via http.cookies.Morsel
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-0865 WRITEUP MEDIUM WRITEUP
Python CPython - HTTP Header Injection
User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2026-1299 WRITEUP MEDIUM WRITEUP
CPython email module - CRLF Injection in BytesGenerator Header Serialization
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
CVE-2025-13462 WRITEUP LOW WRITEUP
CPython Tarfile Archive Misinterpretation via AREGTYPE Block Normalization
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
CVSS 3.3
CVE-2026-4519 WRITEUP LOW WRITEUP
webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVSS 3.3
CVE-2025-13462 WRITEUP LOW WRITEUP
CPython Tarfile Archive Misinterpretation via AREGTYPE Block Normalization
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
CVSS 3.3
CVE-2026-4519 WRITEUP LOW WRITEUP
webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVSS 3.3
CVE-2026-4519 WRITEUP LOW WRITEUP
webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVSS 3.3
CVE-2025-13462 WRITEUP LOW WRITEUP
CPython Tarfile Archive Misinterpretation via AREGTYPE Block Normalization
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
CVSS 3.3
CVE-2020-26137 WRITEUP MEDIUM WRITEUP
urllib3 < 1.25.9 - CRLF Injection via HTTP Request Method
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVSS 6.5
CVE-2020-7212 WRITEUP HIGH WRITEUP
urllib3 1.25.2-1.25.7 - Denial of Service via Inefficient Percent-Encoding Algorithm
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
CVSS 7.5
CVE-2021-33503 WRITEUP HIGH WRITEUP
urllib3 >=1.25.4 <1.26.5 - Denial of Service via Authority Component Regex Backtracking
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
CVSS 7.5
CVE-2023-43804 WRITEUP MEDIUM WRITEUP
urllib3 <1.26.17, <2.0.5 - Info Disclosure
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
CVSS 5.9
CVE-2024-3219 WRITEUP MEDIUM WRITEUP
CPython <3.8.20, 3.9.0-3.9.19, 3.10.0-3.10.14, 3.11.0-3.11.9, 3.12.0-3.12.4, 3.13.0a1-3.13.0rc0 - Socket Connection Race
The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.