CVE-2026-3446
Base64 decoding stops at first padded quad by default
EPSS 0.03%
Description
When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data.
How to fix CVE-2026-3446
To remediate CVE-2026-3446, upgrade the affected package to a fixed version below.
- Bitnami/libpython—upgrade to 3.13.13 or later
- —upgrade to 3.13.13 or later
- —upgrade to 3.13.13 or later
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 3.13.5-2+deb13u2 or later
- —upgrade to 3.14.4-1 or later
- —no fix listed
Is CVE-2026-3446 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (9)
- from 0, < 3.13.13, >= 3.14.0, < 3.14.4
- from 0, < 3.13.13, >= 3.14.0, < 3.14.4
- from 0, < 3.13.13, >= 3.14.0, < 3.14.4
- from 0
- from 0
- from 0
- from 0, < 3.13.5-2+deb13u2
- from 0, < 3.14.4-1
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |