Skip to main content

Cpython

15 CVEs product

Monthly

CVE-2026-4360 LOW PATCH Monitor

CPython's tarfile.extract() silently bypasses the 'filter' parameter when processing hardlinks within tar archives, writing files with attacker-controlled uid/gid values despite the caller specifying filter='data' for security. Systems that extract content from untrusted tar archives while relying on this filter mechanism for ownership hardening are left with unexpected file ownership on extracted hardlinks. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept is available at time of analysis; the CVSS 4.0 score of 2.0 reflects the narrow, low-impact nature of the flaw.

Information Disclosure Cpython
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.3%
CVE-2026-11972 HIGH PATCH This Week

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted tar archive opened in streaming mode (mode='r|'). The seek() routine fails to detect EOF and keeps requesting bufsize reads of empty data when a TarInfo header declares a size far larger than the actual stream, exhausting CPU on any Python service that parses untrusted tar streams. No public exploit identified at time of analysis, but the upstream fix and a reproducer test case are both published on GitHub.

Denial Of Service Cpython Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-0864 MEDIUM PATCH This Month

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via configparser.write() to smuggle arbitrary keys and values into the resulting INI-style configuration file by embedding carriage return (\r) characters. All CPython versions are listed as affected per the NVD CPE wildcard, and any Python application that writes attacker-influenced data to config files via configparser is a candidate target. No public exploit has been identified at time of analysis; CVSS 4.0 scores this at 4.1 (Medium) with high privilege requirements and specific attack conditions.

Code Injection Cpython Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
4.1
EPSS
0.1%
CVE-2026-11940 HIGH PATCH This Week

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filters and create a symlink pointing outside the destination directory, enabling out-of-destination file reads or writes when extractall() is later used or the resulting symlink is followed. The flaw is an incomplete fix of CVE-2025-4330: a hardlink referencing a symlink stored at a deeper path than the hardlink itself causes the fallback to validate the symlink at its archived (deep) location but recreate it at the hardlink's shallower path, making a previously 'contained' relative target escape the extraction root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Path Traversal Cpython
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.6%
CVE-2026-12003 MEDIUM PATCH This Month

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.

Python Privilege Escalation Microsoft Cpython
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-9669 HIGH PATCH This Week

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sending crafted bzip2 data when the application reuses the decompressor object after catching a prior OSError. The flaw stems from libbz2's internal state being left inconsistent after a decompression error, and reuse causes out-of-bounds writes to a stack buffer. No public exploit identified at time of analysis and the issue is not in CISA KEV; the practical impact is denial of service against Python services that process untrusted bzip2 streams.

Stack Overflow Buffer Overflow Cpython
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-7774 MEDIUM PATCH This Month

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and write files to arbitrary locations outside the intended extraction directory. When an application or user calls tarfile.extractall() with the data filter active, specially crafted symlinks using empty names, directory-like names, or trailing slashes can redirect subsequent archive members through attacker-controlled paths, subject to the permissions of the extracting process. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, but the attack vector is network-accessible and requires only that a victim initiate extraction of a crafted archive (UI:A).

Path Traversal Cpython
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-3276 MEDIUM PATCH This Month

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions when processing attacker-controlled Unicode strings. The canonical ordering step during Unicode normalization used an insertion sort algorithm with O(n²) time complexity, which degrades severely when input contains long runs of combining characters with alternating Canonical Combining Class (CCC) values. An unauthenticated remote attacker can cause excessive CPU consumption by submitting small crafted payloads (e.g., 65 characters) to any service that passes untrusted input to unicodedata.normalize(). No public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Canonical Cpython
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-8328 MEDIUM PATCH This Month

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP server's data connection to an arbitrary internal host by supplying an attacker-controlled IP address and port in its PASV response. The ftpcp() function - used to copy files directly between two FTP servers - was inadvertently excluded from the CVE-2021-4189 fix that already hardened FTP.makepasv() against this class of SSRF. Affecting CPython versions prior to 3.15.0, no public exploit has been identified at time of analysis, and EPSS at 0.04% (12th percentile) signals low exploitation probability; the vulnerability is not listed in CISA KEV.

SSRF Cpython
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-7210 MEDIUM PATCH This Month

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flooding protection, allowing crafted XML documents to trigger algorithmic complexity attacks (hash flooding) that degrade parser performance. Remote attackers can exploit this with complex XML payloads to cause denial of service. Mitigation requires both updating libexpat to 2.8.0 or later and applying the CPython patch, as confirmed by Python Software Foundation security advisory.

Information Disclosure Cpython
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-6019 LOW PATCH Monitor

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parser-sensitive sequence </script>, allowing attackers with high privilege levels to inject arbitrary JavaScript by crafting malicious cookie values. While the method escapes double quotes for JavaScript string context, it does not prevent premature termination of the script element through </script> injection, resulting in limited information disclosure. The vendor has released patches addressing this inadequate escaping mechanism through base64-encoding of cookie values.

Information Disclosure Cpython
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4786 HIGH PATCH This Week

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted URLs containing '%action' patterns. All CPython versions prior to 3.15.0 are affected, allowing local attackers with user interaction to execute arbitrary commands through underlying shell injection. EPSS probability is low (0.02%, 5th percentile), no active exploitation confirmed (not in CISA KEV), but publicly available patches exist via multiple GitHub commits. The incomplete mitigation highlights the challenge of securing browser-handling code across diverse browser implementations.

Command Injection Cpython
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-6100 CRITICAL PATCH Act Now

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances are reused after MemoryError exceptions under memory pressure. Affects all CPython versions before 3.15.0. Exploitation requires network-accessible Python service that decompresses attacker-controlled data, operates under memory constraints, and reuses decompressor objects across multiple operations-a narrow but realistic scenario in containerized environments or resource-limited systems. No active exploitation confirmed (EPSS 0.05%, not in CISA KEV). Patch available via CPython 3.15.0.

Information Disclosure Use After Free Memory Corruption Cpython
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.1%
CVE-2026-4519 HIGH PATCH This Week

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-line options rather than URLs, potentially leading to unintended command execution or information disclosure. This affects all CPython versions using the vulnerable webbrowser module. An attacker can craft a malicious URL containing leading dashes (e.g., '-P' or '--profile') that, when passed to webbrowser.open(), may trigger browser-specific behavior such as loading alternate profiles or executing browser commands, resulting in information disclosure or other security impacts.

Information Disclosure Cpython
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-3479 LOW PATCH Monitor

The pkgutil.get_data() function in CPython fails to properly validate the resource argument, enabling path traversal attacks that allow unauthorized information disclosure. This vulnerability affects CPython across multiple versions and could permit attackers to read arbitrary files from the system where Python code is executing. A patch is available from the Python Software Foundation, and the vulnerability has been documented with proof-of-concept references in the official CPython repository.

Path Traversal Cpython
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 2.0
LOW PATCH Monitor

CPython's tarfile.extract() silently bypasses the 'filter' parameter when processing hardlinks within tar archives, writing files with attacker-controlled uid/gid values despite the caller specifying filter='data' for security. Systems that extract content from untrusted tar archives while relying on this filter mechanism for ownership hardening are left with unexpected file ownership on extracted hardlinks. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept is available at time of analysis; the CVSS 4.0 score of 2.0 reflects the narrow, low-impact nature of the flaw.

Information Disclosure Cpython
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted tar archive opened in streaming mode (mode='r|'). The seek() routine fails to detect EOF and keeps requesting bufsize reads of empty data when a TarInfo header declares a size far larger than the actual stream, exhausting CPU on any Python service that parses untrusted tar streams. No public exploit identified at time of analysis, but the upstream fix and a reproducer test case are both published on GitHub.

Denial Of Service Cpython Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via configparser.write() to smuggle arbitrary keys and values into the resulting INI-style configuration file by embedding carriage return (\r) characters. All CPython versions are listed as affected per the NVD CPE wildcard, and any Python application that writes attacker-influenced data to config files via configparser is a candidate target. No public exploit has been identified at time of analysis; CVSS 4.0 scores this at 4.1 (Medium) with high privilege requirements and specific attack conditions.

Code Injection Cpython Red Hat +1
NVD GitHub VulDB
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filters and create a symlink pointing outside the destination directory, enabling out-of-destination file reads or writes when extractall() is later used or the resulting symlink is followed. The flaw is an incomplete fix of CVE-2025-4330: a hardlink referencing a symlink stored at a deeper path than the hardlink itself causes the fallback to validate the symlink at its archived (deep) location but recreate it at the hardlink's shallower path, making a previously 'contained' relative target escape the extraction root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Path Traversal Cpython
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.

Python Privilege Escalation Microsoft +1
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sending crafted bzip2 data when the application reuses the decompressor object after catching a prior OSError. The flaw stems from libbz2's internal state being left inconsistent after a decompression error, and reuse causes out-of-bounds writes to a stack buffer. No public exploit identified at time of analysis and the issue is not in CISA KEV; the practical impact is denial of service against Python services that process untrusted bzip2 streams.

Stack Overflow Buffer Overflow Cpython
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and write files to arbitrary locations outside the intended extraction directory. When an application or user calls tarfile.extractall() with the data filter active, specially crafted symlinks using empty names, directory-like names, or trailing slashes can redirect subsequent archive members through attacker-controlled paths, subject to the permissions of the extracting process. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, but the attack vector is network-accessible and requires only that a victim initiate extraction of a crafted archive (UI:A).

Path Traversal Cpython
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions when processing attacker-controlled Unicode strings. The canonical ordering step during Unicode normalization used an insertion sort algorithm with O(n²) time complexity, which degrades severely when input contains long runs of combining characters with alternating Canonical Combining Class (CCC) values. An unauthenticated remote attacker can cause excessive CPU consumption by submitting small crafted payloads (e.g., 65 characters) to any service that passes untrusted input to unicodedata.normalize(). No public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Canonical Cpython
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP server's data connection to an arbitrary internal host by supplying an attacker-controlled IP address and port in its PASV response. The ftpcp() function - used to copy files directly between two FTP servers - was inadvertently excluded from the CVE-2021-4189 fix that already hardened FTP.makepasv() against this class of SSRF. Affecting CPython versions prior to 3.15.0, no public exploit has been identified at time of analysis, and EPSS at 0.04% (12th percentile) signals low exploitation probability; the vulnerability is not listed in CISA KEV.

SSRF Cpython
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flooding protection, allowing crafted XML documents to trigger algorithmic complexity attacks (hash flooding) that degrade parser performance. Remote attackers can exploit this with complex XML payloads to cause denial of service. Mitigation requires both updating libexpat to 2.8.0 or later and applying the CPython patch, as confirmed by Python Software Foundation security advisory.

Information Disclosure Cpython
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parser-sensitive sequence </script>, allowing attackers with high privilege levels to inject arbitrary JavaScript by crafting malicious cookie values. While the method escapes double quotes for JavaScript string context, it does not prevent premature termination of the script element through </script> injection, resulting in limited information disclosure. The vendor has released patches addressing this inadequate escaping mechanism through base64-encoding of cookie values.

Information Disclosure Cpython
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted URLs containing '%action' patterns. All CPython versions prior to 3.15.0 are affected, allowing local attackers with user interaction to execute arbitrary commands through underlying shell injection. EPSS probability is low (0.02%, 5th percentile), no active exploitation confirmed (not in CISA KEV), but publicly available patches exist via multiple GitHub commits. The incomplete mitigation highlights the challenge of securing browser-handling code across diverse browser implementations.

Command Injection Cpython
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances are reused after MemoryError exceptions under memory pressure. Affects all CPython versions before 3.15.0. Exploitation requires network-accessible Python service that decompresses attacker-controlled data, operates under memory constraints, and reuses decompressor objects across multiple operations-a narrow but realistic scenario in containerized environments or resource-limited systems. No active exploitation confirmed (EPSS 0.05%, not in CISA KEV). Patch available via CPython 3.15.0.

Information Disclosure Use After Free Memory Corruption +1
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-line options rather than URLs, potentially leading to unintended command execution or information disclosure. This affects all CPython versions using the vulnerable webbrowser module. An attacker can craft a malicious URL containing leading dashes (e.g., '-P' or '--profile') that, when passed to webbrowser.open(), may trigger browser-specific behavior such as loading alternate profiles or executing browser commands, resulting in information disclosure or other security impacts.

Information Disclosure Cpython
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

The pkgutil.get_data() function in CPython fails to properly validate the resource argument, enabling path traversal attacks that allow unauthorized information disclosure. This vulnerability affects CPython across multiple versions and could permit attackers to read arbitrary files from the system where Python code is executing. A patch is available from the Python Software Foundation, and the vulnerability has been documented with proof-of-concept references in the official CPython repository.

Path Traversal Cpython
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy