Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

CPython — Vulnerabilities & Security Advisories 62

All 62 CVE vulnerabilities found in CPython, with AI-generated Chinese analysis, references, and POCs.

This page aggregates Common Weakness Enumerations (CWE) associated with CPython, the official reference implementation of the Python programming language developed by the Python Software Foundation. It compiles security advisories and vulnerability records for the CPython core interpreter and its standard library modules, covering historical data from 2000 through 2024. Users can utilize this resource to track vendor-specific advisories issued by the Python Security Response Team, analyze trends within specific weakness classes such as buffer overflows or injection flaws, and investigate the detailed vulnerability history of specific CPython releases. The data includes information on impact severity, affected versions, and patch status, providing a comprehensive view of the security landscape for this widely used open-source software. By centralizing these reports, the page facilitates efficient security auditing and risk assessment for organizations relying on CPython for their backend infrastructure or development environments. This structured overview helps developers and security professionals understand the evolution of security fixes and identify potential gaps in their current deployment strategies without sifting through disparate announcement archives.

Vendor: Python Software Foundation

CVE IDTitleCVSSSeverityPublished
CVE-2026-11972 tarfile opened in streaming mode mishandles EOF CWE-252--2026-06-23
CVE-2026-0864 Configuration Injection via Carriage Return (\r) in write() method --2026-06-23
CVE-2026-11940 tarfile extraction filter bypass allows escaping the destination directory CWE-22--2026-06-23
CVE-2026-12003 CPython >3.11 Insecure Input Validation resulting in privilege escalation CWE-427--2026-06-16
CVE-2026-9669 bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow CWE-121--2026-06-08
CVE-2026-7774 tarfile.data_filter path traversal bypass allows writing outside the extraction directory CWE-22--2026-06-04
CVE-2026-3276 Potential DoS via quadratic complexity in unicodedata.normalize() CWE-407--2026-06-03
CVE-2026-8328 FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address CWE-918--2026-05-13
CVE-2026-7210 The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection CWE-331--2026-05-11
CVE-2026-3087 shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs CWE-22 6.2AIMediumAI2026-04-27
CVE-2026-6019 BaseCookie.js_output() does not neutralize embedded characters CWE-150 6.1AIMediumAI2026-04-22
CVE-2026-3298 Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes CWE-787 8.8AIHighAI2026-04-21
CVE-2026-5713 Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target CWE-121 9.1 -2026-04-14
CVE-2026-4786 Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() CWE-77 9.8 -2026-04-13
CVE-2026-6100 Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure CWE-416 8.4 -2026-04-13
CVE-2026-3446 Base64 decoding stops at first padded quad by default 8.2AIHighAI2026-04-10
CVE-2026-1502 HTTP client proxy tunnel headers not validated for CR/LF 7.5AIHighAI2026-04-10
CVE-2026-4519 webbrowser.open() allows leading dashes in URLs 8.2 -2026-03-20
CVE-2026-3479 pkgutil.get_data() does not enforce documented restrictions 7.5 -2026-03-18
CVE-2026-4224 Stack overflow parsing XML with deeply nested DTD content models 9.8 -2026-03-16
CVE-2026-3644 Incomplete control character validation in http.cookies 9.8 -2026-03-16
CVE-2025-13462 tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling 6.5AIMediumAI2026-03-12
CVE-2026-2297 SourcelessFileLoader does not use io.open_code() 8.2 -2026-03-04
CVE-2026-1299 email BytesGenerator header injection due to unquoted newlines CWE-93 4.3 -2026-01-23
CVE-2025-12781 base64.b64decode() always accepts "+/" characters, despite setting altchars 7.5AIHighAI2026-01-21
CVE-2026-0672 Header injection in http.cookies.Morsel CWE-93 4.3AIMediumAI2026-01-20
CVE-2025-15367 POP3 command injection in user-controlled commands CWE-77 9.8AICriticalAI2026-01-20
CVE-2025-15366 IMAP command injection in user-controlled commands CWE-77 9.8AICriticalAI2026-01-20
CVE-2025-15282 Header injection via newlines in data URL mediatype CWE-93 5.3AIMediumAI2026-01-20
CVE-2026-0865 wsgiref.headers.Headers allows header newline injection CWE-74 4.7AIMediumAI2026-01-20

All 62 known CVE vulnerabilities affecting CPython with full Chinese analysis, references, and POCs where available.