CRITICAL9.8CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection from 0
CRITICAL9.8CVE-2022-48565An XML External Entity (XXE) issue was discovered in Python through 3.9.1. from 0, < 7.3.5+dfsg-2
CRITICAL9.8pypy3 - security update
from 0, < 7.3.5+dfsg-2+deb11u2
CRITICAL9.8pypy3 - security update
from 0, < 7.3.5+dfsg-2+deb11u2
CRITICAL9.8In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string.
from 0, < 7.3.8+dfsg-1
CRITICAL9.8In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
from 0, < 7.3.5+dfsg-2
CRITICAL9.4Arbitrary writes via tarfile realpath overflow
from 0
HIGH7.8Virtual environment (venv) activation scripts don't quote paths
from 0, < 7.3.5+dfsg-2+deb11u4
HIGH7.8python3.7 - security update
from 0, < 7.3.5+dfsg-2+deb11u3
HIGH7.8Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration.
from 0
HIGH7.6python3.9 - security update
from 0
HIGH7.5Python-Markdown has an Uncaught Exception
from 0
HIGH7.5Excessive read buffering DoS in http.client
from 0
HIGH7.5Tarfile infinite loop during parsing with negative member offset
from 0
HIGH7.5Tarfile extracts filtered members when errorlevel=0
from 0
HIGH7.5Extraction filter bypass for linking outside extraction directory
from 0
HIGH7.5Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory
from 0
HIGH7.5Regular-expression DoS when parsing TarFile headers
from 0, < 7.3.5+dfsg-2+deb11u5
HIGH7.5Quadratic complexity parsing cookies with backslashes
from 0, < 7.3.5+dfsg-2+deb11u5
HIGH7.5Incorrect IPv4 and IPv6 private ranges
from 0
HIGH7.5pypy3 - security update
from 0, < 7.3.5+dfsg-2+deb11u3
HIGH7.5pypy3 - security update
from 0, < 7.3.5+dfsg-2+deb11u3
HIGH7.5An issue was discovered in Python before 3.11.1.
from 0, < 7.3.5+dfsg-2+deb11u4
HIGH7.5pypy3 - security update
from 0, < 7.3.5+dfsg-2+deb11u4
HIGH7.5pypy3 - security update
from 0, < 7.3.5+dfsg-2+deb11u4
HIGH7.5A flaw was found in python.
from 0, < 7.3.5+dfsg-2+deb11u4
HIGH7.5python3.9 - security update
from 0, < 7.3.5+dfsg-2+deb11u4
HIGH7.5py vulnerable to Regular Expression Denial of Service
from 0, < 7.3.5+dfsg-2+deb11u4
HIGH7.5python3.5 - security update
from 0, < 7.3.3+dfsg-1
HIGH7.4python3.11 - security update
from 0
HIGH7.4Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginn…
from 0, < 7.3.5+dfsg-2+deb11u4
HIGH7.2http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attac…
from 0, < 7.3.3+dfsg-1
MEDIUM6.5Buffer overread when using an empty list with SSLContext.set_npn_protocols()
from 0
MEDIUM6.5read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malform…
from 0, < 7.3.5+dfsg-2
MEDIUM6.5python3.5 - security update
from 0, < 7.3.5+dfsg-2
MEDIUM6.2python2.7 - security update
from 0, < 7.3.5+dfsg-2+deb11u3
MEDIUM6.1BaseCookie.js_output() does not neutralize embedded characters
from 0
MEDIUM5.9An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1.
from 0, < 7.3.5+dfsg-2
MEDIUM5.9python2.7 - security update
from 0, < 7.3.3+dfsg-3
MEDIUM5.7There's a flaw in Python 3's pydoc.
from 0, < 7.3.3+dfsg-4
MEDIUM5.5Out-of-memory when loading Plist
from 0
MEDIUM5.5Quadratic complexity in os.path.expandvars() with user-controlled template
from 0
MEDIUM5.5Email header injection due to unquoted newlines
from 0, < 7.3.5+dfsg-2+deb11u5
MEDIUM5.3base64.b64decode() always accepts "+/" characters, despite setting altchars
from 0
MEDIUM5.3Quadratic complexity in node ID cache clearing
from 0
MEDIUM5.3Bypass extraction filter to modify file metadata outside extraction directory
from 0
MEDIUM5.3An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5.
from 0, < 7.3.5+dfsg-2+deb11u3
MEDIUM5.3The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character.
from 0, < 7.3.5+dfsg-2+deb11u4
MEDIUM5.3A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode.
from 0, < 7.3.5+dfsg-2
MEDIUM4.3ZIP64 End of Central Directory (EOCD) Locator record offset not checked
from 0, < 7.3.5+dfsg-2+deb11u5
MEDIUM4.3HTMLParser quadratic complexity when processing malformed inputs
from 0, < 7.3.5+dfsg-2+deb11u5
LOW3.3webbrowser.open() allows leading dashes in URLs
from 0
—tarfile.data_filter path traversal bypass allows writing outside the extraction directory
from 0
—Potential DoS via quadratic complexity in unicodedata.normalize()
from 0
—FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
from 0
—Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
from 0, < 7.3.22+dfsg-1
—Base64 decoding stops at first padded quad by default
from 0
—HTTP client proxy tunnel headers not validated for CR/LF
from 0
—pkgutil.get_data() does not enforce documented restrictions
from 0
—SourcelessFileLoader does not use io.open_code()
from 0
—email BytesGenerator header injection due to unquoted newlines
from 0
—wsgiref.headers.Headers allows header newline injection
from 0
—Header injection in http.cookies.Morsel
from 0
—POP3 command injection in user-controlled commands
from 0
—IMAP command injection in user-controlled commands
from 0
—Header injection via newlines in data URL mediatype
from 0
—python3.9 - security update
from 0
—Mishandling of comma during folding and unicode-encoding of email headers
from 0, < 7.3.5+dfsg-2+deb11u5
—URL parser allowed square brackets in domain names
from 0, < 7.3.5+dfsg-2+deb11u5
—pypy3 - security update
from 0, < 7.3.5+dfsg-2+deb11u5
—pypy3 - security update
from 0, < 7.3.5+dfsg-2+deb11u5
—Infinite loop when iterating over zip archive entry names from zipfile.Path
from 0