python
262 tracked vulnerabilities.
CVE-2026-15308
HIGH
Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
Jul 09, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-59890
MEDIUM
setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+
Jul 08, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-55798
MEDIUM
Pillow: WindowsViewer.get_command() OS command injection via unescaped shell path
Jul 06, 2026
CVSS 4.5
EPSS 0.00
CVE-2026-55380
HIGH
Pillow GdImageFile decompression bomb protection bypass
Jul 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-55379
HIGH
Pillow BdfFontFile`: `Image.new()` called without `_decompression_bomb_check()` — bomb protection bypass via font loading
Jul 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-54060
HIGH
Pillow: `FontFile.compile()`: `Image.new()` called without `_decompression_bomb_check()`
Jul 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-54059
HIGH
Pillow: PcfFontFile._load_bitmaps()`: `Image.frombytes()` called without `_decompression_bomb_check()` — bomb protection bypass via PCF font loading
Jul 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-4360
MEDIUM
Python Software Foundation CPython - Tarfile.extract() Doesn't Fully Respect Filter Parameter
Jun 30, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44432
HIGH
urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
May 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44431
MEDIUM
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
May 13, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-7210
HIGH
The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
May 11, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-42311
HIGH
Pillow: OOB Write with Invalid PSD Tile Extents (Integer Overflow)
May 09, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-42310
MEDIUM
Pillow: PDF Parsing Trailer Infinite Loop (DoS)
May 09, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-42309
MEDIUM
Pillow: Heap buffer overflow with nested list coordinates
May 09, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-42308
MEDIUM
Pillow: Integer overflow when processing fonts
May 09, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-3087
HIGH
shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
Apr 27, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-6019
MEDIUM
BaseCookie.js_output() does not neutralize embedded characters
Apr 22, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-40192
HIGH
Pillow is vulnerable to a FITS GZIP decompression bomb
Apr 15, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-5271
HIGH
Possible to hijack modules in current working directory
Apr 01, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-25645
MEDIUM
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
Mar 25, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-4519
LOW
webbrowser.open() allows leading dashes in URLs
Mar 20, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-4224
HIGH
Stack overflow parsing XML with deeply nested DTD content models
Mar 16, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-3644
HIGH
Incomplete control character validation in http.cookies
Mar 16, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32274
HIGH
Black < 26.3.1 - Path Traversal via --python-cell-magics Option
Mar 12, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-31900
CRITICAL
Black GitHub Action - Command Injection
Mar 11, 2026
CVSS 9.8
EPSS 0.00
Products
python 139
pillow 65
urllib3 19
requests 6
setuptools 4
keyring 3
black 2
pyxdg 2
typed_ast 2
Protobuf 1
beaker 1
cpython 1
hpack 1
hyper 1
jw.util 1
novajoin 1
openpyxl 1
py-bcrypt 1
pybluemonday 1
pymanager 1
pypi 1
pypiserver 1
python-gnupg 1
python_priority_library 1
pyxml 1
rply 1
rsa 1
tablib 1
tgcaptcha2 1
tkvideoplayer 1
Quick Filters