PatchSiren

Python Software Foundation CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Python Software Foundation CVE published 2026-07-09

CVE-2026-15308

CVE-2026-15308 is a HIGH severity vulnerability in Python's incremental HTML parser. The vulnerability allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data. The CVSS score for this vulnerability is 8.7. This vulnerability affects users of Python, especially those processing uncontrolled data with the incremental HTML parser. The vulnerability [truncated]

LOW Python Software Foundation CVE published 2026-06-30

CVE-2026-4360

A vulnerability exists in the Tarfile.extract() function where the filter parameter is not properly passed when extracting hardlinks. This could lead to files being written with unexpected uid/gid values, even when the user specifies filter='data' to the extract() function. The issue arises because the filter parameter is not correctly passed during the extraction of hardlinks, potentially resulting in se [truncated]

HIGH Python Software Foundation CVE published 2026-06-23

CVE-2026-11972

The Python tarfile module is vulnerable to a denial-of-service (DoS) attack when using streaming mode. The module does not properly handle end-of-file (EOF), causing archive parsing to consume excessive resources and time. This issue has been assigned a CVSS score of 8.2 and is considered high severity. The vulnerability was published on June 23, 2026, and last modified on June 25, 2026.

MEDIUM Python Software Foundation CVE published 2026-06-23

CVE-2026-0864

CVE-2026-0864 is a vulnerability in the Python configparser module that occurs when writing configuration files with multi-line text values containing carriage return characters. An attacker controlling the written value can inject unexpected keys and values into the resulting file. The vulnerability has a CVSS score of 4.1 and is classified as medium severity. The CVE was published on June 23, 2026, and [truncated]

HIGH Python Software Foundation CVE published 2026-06-23

CVE-2026-11940

CVE-2026-11940 is a high-severity vulnerability in the Python tarfile module's extractall() function. The vulnerability allows for out-of-destination file reads or writes by bypassing the 'data' or 'tar' filter through a crafted archive. This is achieved by a hardlink referencing a symlink stored at a deeper name than the hardlink itself, permitting a relative target to escape the destination directory. T [truncated]

HIGH Python Software Foundation CVE published 2026-06-08

CVE-2026-9669

CVE-2026-9669 is a HIGH severity vulnerability affecting Python's bz2.BZ2Decompressor objects. The issue allows these objects to be reused after a decompression error. If an application catches the resulting OSError and retries with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash [truncated]

MEDIUM Python Software Foundation CVE published 2026-06-04

CVE-2026-7774

CVE-2026-7774 is a MEDIUM severity vulnerability in the Python tarfile module. A crafted tar archive could cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. This was due to a bypass of the tarfile.data_filter using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members o [truncated]

MEDIUM Python Software Foundation CVE published 2026-05-13

CVE-2026-8328

CVE-2026-8328 is a medium-severity vulnerability in Python's ftplib module, specifically within the ftpcp() function. The issue represents an incomplete fix for CVE-2021-4189: while makepasv() was patched to prevent server-supplied PASV host address spoofing by substituting the actual peer address, ftpcp() was overlooked and continues to call parse227() directly. This allows an attacker-controllable IP ad [truncated]

MEDIUM Python Software Foundation CVE published 2026-04-27

CVE-2026-3087

CVE-2026-3087 is a medium-severity vulnerability affecting Python's shutil.unpack_archive() function. The vulnerability occurs when the function is given a ZIP archive with an absolute Windows path containing a drive (C:). This allows the archive to be extracted outside the target directory, which is different from other operating systems. Only Windows is affected by this vulnerability.

LOW Python Software Foundation CVE published 2026-04-22

CVE-2026-6019

A vulnerability in Python's http.cookies.Morsel.js_output() method allows HTML injection through insufficient escaping. The method generates an inline <script> element containing cookie data, escaping only double quotes for JavaScript string safety but failing to neutralize the </script> sequence. This permits an attacker with control over cookie values to prematurely close the script element and inject a [truncated]

MEDIUM Python Software Foundation CVE published 2026-04-14

CVE-2026-5713

This CVE affects Python's remote debugging capabilities introduced in versions 3.14+ (asyncio introspection) and 3.15+ (profiling.sampling module). The vulnerability allows a malicious or compromised Python process to read and write memory addresses in a privileged process that connects to it via the remote debugging feature. Exploitation requires persistent, repeated connections because ASLR causes high- [truncated]

HIGH Python Software Foundation CVE published 2026-04-13

CVE-2026-4786

CVE-2026-4786 is a high-severity vulnerability that stems from the incomplete mitigation of CVE-2026-4519. The vulnerability allows for command injection into the underlying shell for certain browser types through the webbrowser.open() API when the URL contains the string '%action'. This issue was introduced due to an insufficient fix for CVE-2026-4519. The vulnerability has a CVSS score of 7 and is class [truncated]

HIGH Python Software Foundation CVE published 2026-03-20

CVE-2026-4519

CVE-2026-4519 is a high-severity vulnerability in the Python webbrowser.open() API. The API previously accepted leading dashes in URLs, which could be handled as command line options for certain web browsers. This behavior has been changed to reject leading dashes. Users are advised to sanitize URLs prior to passing them to webbrowser.open(). The vulnerability has a CVSS score of 7 and is considered high [truncated]

MEDIUM Python Software Foundation CVE published 2026-03-16

CVE-2026-3644

CVE-2026-3644 is a vulnerability in Python's http.cookies module. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. Specifically, the Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). [truncated]

MEDIUM Python Software Foundation CVE published 2026-01-20

CVE-2025-15366

The imaplib module in Python is vulnerable to injection attacks when passed user-controlled commands containing newlines. This CVE was published on 2026-01-20T22:15:51.023Z and last modified on 2026-07-07T18:16:33.170Z. The vulnerability has a CVSS score of 5.9 and is classified as MEDIUM severity. Users of Python's imaplib module should assess their exposure and apply mitigations to reject commands with [truncated]