Victor Stinner

CVE-2026-0865 WRITEUP MEDIUM WRITEUP

Python CPython - HTTP Header Injection

User-controlled header names and values containing newlines can allow injecting HTTP headers.

View Code

CVE-2024-11168 WRITEUP LOW WRITEUP

Python urllib.parse - Bracketed Host Validation Server-Side Request Forgery

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

CVSS 3.7

View Code

CVE-2026-0865 WRITEUP MEDIUM WRITEUP

Python CPython - HTTP Header Injection

User-controlled header names and values containing newlines can allow injecting HTTP headers.

View Code

CVE-2024-11168 WRITEUP LOW WRITEUP

Python urllib.parse - Bracketed Host Validation Server-Side Request Forgery

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

CVSS 3.7

View Code

CVE-2026-0865 WRITEUP MEDIUM WRITEUP

Python CPython - HTTP Header Injection

User-controlled header names and values containing newlines can allow injecting HTTP headers.

View Code

CVE-2024-9287 WRITEUP HIGH WRITEUP

CPython < 3.9.21 - Command Injection via Unquoted Path in venv Module

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

CVSS 7.8

View Code

CVE-2026-0865 WRITEUP MEDIUM WRITEUP

Python CPython - HTTP Header Injection

User-controlled header names and values containing newlines can allow injecting HTTP headers.

View Code

CVE-2024-9287 WRITEUP HIGH WRITEUP

CPython < 3.9.21 - Command Injection via Unquoted Path in venv Module

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

CVSS 7.8

View Code

CVE-2026-0865 WRITEUP MEDIUM WRITEUP

Python CPython - HTTP Header Injection

User-controlled header names and values containing newlines can allow injecting HTTP headers.

View Code

CVE-2024-9287 WRITEUP HIGH WRITEUP

CPython < 3.9.21 - Command Injection via Unquoted Path in venv Module

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

CVSS 7.8

View Code

CVE-2025-8194 WRITEUP HIGH WRITEUP

CPython TarFile Extraction Infinite Loop Vulnerability

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

CVSS 7.5

View Code

CVE-2026-0865 WRITEUP MEDIUM WRITEUP

Python CPython - HTTP Header Injection

User-controlled header names and values containing newlines can allow injecting HTTP headers.

View Code

CVE-2025-8194 WRITEUP HIGH WRITEUP

CPython TarFile Extraction Infinite Loop Vulnerability

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

CVSS 7.5

View Code

CVE-2026-3644 WRITEUP HIGH WRITEUP

Incomplete control character validation in http.cookies

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

CVSS 7.5

View Code

CVE-2026-3644 WRITEUP HIGH WRITEUP

Incomplete control character validation in http.cookies

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

CVSS 7.5

View Code

CVE-2026-3644 WRITEUP HIGH WRITEUP

Incomplete control character validation in http.cookies

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

CVSS 7.5

View Code

CVE-2024-9287 WRITEUP HIGH WRITEUP

CPython < 3.9.21 - Command Injection via Unquoted Path in venv Module

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

CVSS 7.8

View Code

CVE-2007-2645 EXPLOITDB text WRITEUP

libexif <0.6.14 - DoS/Code Injection

Integer overflow in the exif_data_load_data_entry function in exif-data.c in libexif before 0.6.14 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted EXIF data, involving the (1) doff or (2) s variable.

View Code