python

262 tracked vulnerabilities.

CVE-2026-15308 HIGH
Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
Jul 09, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-59890 MEDIUM
setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+
Jul 08, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-55798 MEDIUM
Pillow: WindowsViewer.get_command() OS command injection via unescaped shell path
Jul 06, 2026
CVSS 4.5
EPSS 0.00
CVE-2026-55380 HIGH
Pillow GdImageFile decompression bomb protection bypass
Jul 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-55379 HIGH
Pillow BdfFontFile`: `Image.new()` called without `_decompression_bomb_check()` — bomb protection bypass via font loading
Jul 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-54060 HIGH
Pillow: `FontFile.compile()`: `Image.new()` called without `_decompression_bomb_check()`
Jul 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-54059 HIGH
Pillow: PcfFontFile._load_bitmaps()`: `Image.frombytes()` called without `_decompression_bomb_check()` — bomb protection bypass via PCF font loading
Jul 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-4360 MEDIUM
Python Software Foundation CPython - Tarfile.extract() Doesn't Fully Respect Filter Parameter
Jun 30, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44432 HIGH
urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
May 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44431 MEDIUM
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
May 13, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-7210 HIGH
The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
May 11, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-42311 HIGH
Pillow: OOB Write with Invalid PSD Tile Extents (Integer Overflow)
May 09, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-42310 MEDIUM
Pillow: PDF Parsing Trailer Infinite Loop (DoS)
May 09, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-42309 MEDIUM
Pillow: Heap buffer overflow with nested list coordinates
May 09, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-42308 MEDIUM
Pillow: Integer overflow when processing fonts
May 09, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-3087 HIGH
shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
Apr 27, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-6019 MEDIUM
BaseCookie.js_output() does not neutralize embedded characters
Apr 22, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-40192 HIGH
Pillow is vulnerable to a FITS GZIP decompression bomb
Apr 15, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-5271 HIGH
Possible to hijack modules in current working directory
Apr 01, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-25645 MEDIUM
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
Mar 25, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-4519 LOW
webbrowser.open() allows leading dashes in URLs
Mar 20, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-4224 HIGH
Stack overflow parsing XML with deeply nested DTD content models
Mar 16, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-3644 HIGH
Incomplete control character validation in http.cookies
Mar 16, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32274 HIGH
Black < 26.3.1 - Path Traversal via --python-cell-magics Option
Mar 12, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-31900 CRITICAL
Black GitHub Action - Command Injection
Mar 11, 2026
CVSS 9.8
EPSS 0.00