Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Python Software Foundation — Vulnerabilities & Security Advisories 54

Browse all 54 CVE security advisories affecting Python Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Python Software Foundation (PSF) is a non-profit organization dedicated to protecting and advancing the Python programming language while supporting and facilitating the growth of a diverse global community of developers. As the steward of the official Python distribution, its core business involves maintaining the integrity of the interpreter and standard library, which are foundational to countless enterprise and scientific applications. Historically, vulnerabilities associated with the PSF’s maintained codebase have frequently involved memory corruption issues, such as buffer overflows, and logic flaws leading to privilege escalation or remote code execution (RCE) within the interpreter itself. While the PSF does not host third-party packages, its official releases have occasionally been targeted by supply chain attacks or misconfigurations in associated infrastructure. Notable incidents include critical flaws in the SSL/TLS handling and integer overflow bugs in the standard library, prompting rigorous security audits and rapid patch cycles to mitigate risks for the vast ecosystem relying on Python’s core infrastructure.

Top products by Python Software Foundation: CPython pymanager
CVE IDTitleCVSSSeverityPublished
CVE-2026-3087 shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs — CPythonCWE-22 6.2AIMediumAI2026-04-27
CVE-2026-6019 BaseCookie.js_output() does not neutralize embedded characters — CPythonCWE-150 6.1AIMediumAI2026-04-22
CVE-2026-3298 Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes — CPythonCWE-787 8.8AIHighAI2026-04-21
CVE-2026-5713 Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target — CPythonCWE-121 9.1 -2026-04-14
CVE-2026-4786 Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() — CPythonCWE-77 9.8 -2026-04-13
CVE-2026-6100 Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure — CPythonCWE-416 8.4 -2026-04-13
CVE-2026-3446 Base64 decoding stops at first padded quad by default — CPython 8.2AIHighAI2026-04-10
CVE-2026-1502 HTTP client proxy tunnel headers not validated for CR/LF — CPython 7.5AIHighAI2026-04-10
CVE-2026-5271 Possible to hijack modules in current working directory — pymanager 8.4AIHighAI2026-04-01
CVE-2026-4519 webbrowser.open() allows leading dashes in URLs — CPython 8.2 -2026-03-20
CVE-2026-3479 pkgutil.get_data() does not enforce documented restrictions — CPython 7.5 -2026-03-18
CVE-2026-4224 Stack overflow parsing XML with deeply nested DTD content models — CPython 9.8 -2026-03-16
CVE-2026-3644 Incomplete control character validation in http.cookies — CPython 9.8 -2026-03-16
CVE-2025-13462 tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling — CPython 6.5AIMediumAI2026-03-12
CVE-2026-2297 SourcelessFileLoader does not use io.open_code() — CPython 8.2 -2026-03-04
CVE-2026-1299 email BytesGenerator header injection due to unquoted newlines — CPythonCWE-93 4.3 -2026-01-23
CVE-2025-12781 base64.b64decode() always accepts "+/" characters, despite setting altchars — CPython 7.5AIHighAI2026-01-21
CVE-2026-0672 Header injection in http.cookies.Morsel — CPythonCWE-93 4.3AIMediumAI2026-01-20
CVE-2025-15367 POP3 command injection in user-controlled commands — CPythonCWE-77 9.8AICriticalAI2026-01-20
CVE-2025-15366 IMAP command injection in user-controlled commands — CPythonCWE-77 9.8AICriticalAI2026-01-20
CVE-2025-15282 Header injection via newlines in data URL mediatype — CPythonCWE-93 5.3AIMediumAI2026-01-20
CVE-2026-0865 wsgiref.headers.Headers allows header newline injection — CPythonCWE-74 4.7AIMediumAI2026-01-20
CVE-2025-11468 Folding email comments of unfoldable characters doesn't preserve parenthesis — CPython 6.5AIMediumAI2026-01-20
CVE-2025-12084 Quadratic complexity in node ID cache clearing — CPython 7.5AIHighAI2025-12-03
CVE-2025-13837 Out-of-memory when loading Plist — CPython 6.5AIMediumAI2025-12-01
CVE-2025-13836 Excessive read buffering DoS in http.client — CPython 9.8AICriticalAI2025-12-01
CVE-2025-6075 Quadratic complexity in os.path.expandvars() with user-controlled template — CPython 7.5 -2025-10-31
CVE-2025-8291 ZIP64 End of Central Directory (EOCD) Locator record offset not checked — CPython 4.3 Medium2025-10-07
CVE-2025-8194 Tarfile infinite loop during parsing with negative member offset — CPythonCWE-835 7.5 High2025-07-28
CVE-2025-6069 HTMLParser quadratic complexity when processing malformed inputs — CPythonCWE-1333 4.3 Medium2025-06-17

This page lists every published CVE security advisory associated with Python Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.