These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-15308 is a HIGH severity vulnerability in Python's incremental HTML parser. The vulnerability allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data. The CVSS score for this vulnerability is 8.7. This vulnerability affects users of Python, especially those processing uncontrolled data with the incremental HTML parser. The vulnerability [truncated]
A vulnerability exists in the Tarfile.extract() function where the filter parameter is not properly passed when extracting hardlinks. This could lead to files being written with unexpected uid/gid values, even when the user specifies filter='data' to the extract() function. The issue arises because the filter parameter is not correctly passed during the extraction of hardlinks, potentially resulting in se [truncated]
The Python tarfile module is vulnerable to a denial-of-service (DoS) attack when using streaming mode. The module does not properly handle end-of-file (EOF), causing archive parsing to consume excessive resources and time. This issue has been assigned a CVSS score of 8.2 and is considered high severity. The vulnerability was published on June 23, 2026, and last modified on June 25, 2026.
CVE-2026-0864 is a vulnerability in the Python configparser module that occurs when writing configuration files with multi-line text values containing carriage return characters. An attacker controlling the written value can inject unexpected keys and values into the resulting file. The vulnerability has a CVSS score of 4.1 and is classified as medium severity. The CVE was published on June 23, 2026, and [truncated]
CVE-2026-11940 is a high-severity vulnerability in the Python tarfile module's extractall() function. The vulnerability allows for out-of-destination file reads or writes by bypassing the 'data' or 'tar' filter through a crafted archive. This is achieved by a hardlink referencing a symlink stored at a deeper name than the hardlink itself, permitting a relative target to escape the destination directory. T [truncated]
CVE-2026-9669 is a HIGH severity vulnerability affecting Python's bz2.BZ2Decompressor objects. The issue allows these objects to be reused after a decompression error. If an application catches the resulting OSError and retries with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash [truncated]
CVE-2026-7774 is a MEDIUM severity vulnerability in the Python tarfile module. A crafted tar archive could cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. This was due to a bypass of the tarfile.data_filter using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members o [truncated]
CVE-2026-8328 is a medium-severity vulnerability in Python's ftplib module, specifically within the ftpcp() function. The issue represents an incomplete fix for CVE-2021-4189: while makepasv() was patched to prevent server-supplied PASV host address spoofing by substituting the actual peer address, ftpcp() was overlooked and continues to call parse227() directly. This allows an attacker-controllable IP ad [truncated]
CVE-2026-3087 is a medium-severity vulnerability affecting Python's shutil.unpack_archive() function. The vulnerability occurs when the function is given a ZIP archive with an absolute Windows path containing a drive (C:). This allows the archive to be extracted outside the target directory, which is different from other operating systems. Only Windows is affected by this vulnerability.
A vulnerability in Python's http.cookies.Morsel.js_output() method allows HTML injection through insufficient escaping. The method generates an inline <script> element containing cookie data, escaping only double quotes for JavaScript string safety but failing to neutralize the </script> sequence. This permits an attacker with control over cookie values to prematurely close the script element and inject a [truncated]
This CVE affects Python's remote debugging capabilities introduced in versions 3.14+ (asyncio introspection) and 3.15+ (profiling.sampling module). The vulnerability allows a malicious or compromised Python process to read and write memory addresses in a privileged process that connects to it via the remote debugging feature. Exploitation requires persistent, repeated connections because ASLR causes high- [truncated]
CVE-2026-4786 is a high-severity vulnerability that stems from the incomplete mitigation of CVE-2026-4519. The vulnerability allows for command injection into the underlying shell for certain browser types through the webbrowser.open() API when the URL contains the string '%action'. This issue was introduced due to an insufficient fix for CVE-2026-4519. The vulnerability has a CVSS score of 7 and is class [truncated]
CVE-2026-4519 is a high-severity vulnerability in the Python webbrowser.open() API. The API previously accepted leading dashes in URLs, which could be handled as command line options for certain web browsers. This behavior has been changed to reject leading dashes. Users are advised to sanitize URLs prior to passing them to webbrowser.open(). The vulnerability has a CVSS score of 7 and is considered high [truncated]
CVE-2026-3644 is a vulnerability in Python's http.cookies module. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. Specifically, the Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). [truncated]
The imaplib module in Python is vulnerable to injection attacks when passed user-controlled commands containing newlines. This CVE was published on 2026-01-20T22:15:51.023Z and last modified on 2026-07-07T18:16:33.170Z. The vulnerability has a CVSS score of 5.9 and is classified as MEDIUM severity. Users of Python's imaplib module should assess their exposure and apply mitigations to reject commands with [truncated]