CRITICAL9.8CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection from 0
CRITICAL9.8CVE-2025-13462tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling from 0
CRITICAL9.8An XML External Entity (XXE) issue was discovered in Python through 3.9.1.
from 0, < 2.7.18-8+deb11u1
CRITICAL9.8python2.7 - security update
from 0, < 2.7.18-2
CRITICAL9.8python2.7 - security update
from 0, < 2.7.13-2+deb9u6
CRITICAL9.8In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
from 0
CRITICAL9.8The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which a…
from 0, < 2.7.8-1
CRITICAL9.8A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.…
from 0, < 2.7.16-3
CRITICAL9.8Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during N…
from 0, < 2.7.16-2
CRITICAL9.8python2.7 - security update
from 0, < 2.7.15-5
CRITICAL9.8python2.7 - security update
from 0, < 2.7.13-2+deb9u3
CRITICAL9.8python3.5 - security update
from 0, < 2.7.3-6+deb7u4
CRITICAL9.8python3.5 - security update
from 0, < 2.7.13-4
CRITICAL9.8python3.5 - security update
from 0, < 2.7.9-2+deb8u2
CRITICAL9.8Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 al…
from 0, < 2.7.12~rc1-1
CRITICAL9.1python3.4 - security update
from 0, < 2.7.16-2
HIGH8.8Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment varia…
from 0
HIGH7.6python3.9 - security update
from 0, < 2.7.16-2+deb10u2
HIGH7.6python3.9 - security update
from 0
HIGH7.5Stack overflow parsing XML with deeply nested DTD content models
from 0
HIGH7.5Python-Markdown has an Uncaught Exception
from 0
HIGH7.5Tarfile infinite loop during parsing with negative member offset
from 0
HIGH7.5Regular-expression DoS when parsing TarFile headers
from 0
HIGH7.5python3.7 - security update
from 0, < 2.7.18-8+deb11u1
HIGH7.5pypy3 - security update
from 0, < 2.7.18-8+deb11u1
HIGH7.5An issue was discovered in Python before 3.11.1.
from 0
HIGH7.5pypy3 - security update
from 0
HIGH7.5A flaw was found in python.
from 0
HIGH7.5python3.9 - security update
from 0, < 2.7.18-8+deb11u1
HIGH7.5python3.5 - security update
from 0, < 2.7.18-2
HIGH7.5The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memor…
from 0, < 2.7.9-1
HIGH7.5Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
from 0
HIGH7.5An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6.
from 0, < 2.7.15-6
HIGH7.5python2.7 - security update
from 0, < 2.7.9-2+deb8u5
HIGH7.5python2.7 - security update
from 0, < 2.7.17~rc1-1
HIGH7.5python3.4 - security update
from 0, < 2.7.15-5
HIGH7.5python3.4 - security update
from 0, < 2.7.9-2+deb8u3
HIGH7.5python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK m…
from 0, < 2.7.14-7
HIGH7.5python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method.
from 0, < 2.7.14-7
HIGH7.4python3.11 - security update
from 0
HIGH7.4Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginn…
from 0
HIGH7.2http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attac…
from 0
MEDIUM6.5Buffer overread when using an empty list with SSLContext.set_npn_protocols()
from 0
MEDIUM6.5python3.5 - security update
from 0
MEDIUM6.5Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct…
from 0, < 2.7.18-2
MEDIUM6.5python3.2 - security update
from 0, < 2.7.3-6+deb7u3
MEDIUM6.5python3.2 - security update
from 0, < 2.7.12~rc1-1
MEDIUM6.2python2.7 - security update
from 0
MEDIUM6.2python2.7 - security update
from 0, < 2.7.16-2+deb10u4
MEDIUM6.1The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow…
from 0, < 2.7.12-2
MEDIUM6.1An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0.
from 0, < 2.7.18~rc1-1
MEDIUM6.1python2.7 - security update
from 0, < 2.7.13-2+deb9u5
MEDIUM6.1python2.7 - security update
from 0, < 2.7.17~rc1-1
MEDIUM6.1An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3.
from 0, < 2.7.16-3
MEDIUM6.1An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3.
from 0, < 2.7.16-3
MEDIUM6.1CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x b…
from 0, < 2.7.10~rc1-1
MEDIUM5.9An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1.
from 0, < 2.7.18-8+deb11u1
MEDIUM5.9simplejson before 2.6.1 vulnerable to array index error
from 0, < 2.7.7-1
MEDIUM5.9python2.7 - security update
from 0, < 2.7.18-8+deb11u1
MEDIUM5.9python2.7 - security update
from 0, < 2.7.16-2+deb10u3
MEDIUM5.9The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames,…
from 0, < 2.7.9-1
MEDIUM5.5Email header injection due to unquoted newlines
from 0
MEDIUM5.3Quadratic complexity in node ID cache clearing
from 0
MEDIUM5.3An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5.
from 0, < 2.7.18-8+deb11u1
MEDIUM5.3The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character.
from 0
MEDIUM5.3A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode.
from 0
MEDIUM5.3python2.7 - security update
from 0, < 2.7.16-3
MEDIUM5.3python2.7 - security update
from 0, < 2.7.9-2+deb8u4
MEDIUM5.3python2.7 - security update
from 0, < 2.7.13-2+deb9u4
MEDIUM4.3HTMLParser quadratic complexity when processing malformed inputs
from 0
LOW3.6Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free.
from 0, < 2.7.14-5
LOW3.3webbrowser.open() allows leading dashes in URLs
from 0
—tarfile.data_filter path traversal bypass allows writing outside the extraction directory
from 0
—Potential DoS via quadratic complexity in unicodedata.normalize()
from 0
—FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
from 0
—Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
from 0
—Base64 decoding stops at first padded quad by default
from 0
—HTTP client proxy tunnel headers not validated for CR/LF
from 0
—pkgutil.get_data() does not enforce documented restrictions
from 0
—wsgiref.headers.Headers allows header newline injection
from 0
—POP3 command injection in user-controlled commands
from 0
—IMAP command injection in user-controlled commands
from 0
—The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x…
from 0, < 2.7.9-1
—Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process m…
from 0, < 2.7.8-1
—Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without…
from 0
—Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x befo…
from 0, < 2.7.6-6
—bzr - security update
from 0, < 2.7.5-5
—python2.7 - security update
from 0, < 2.7.5-8
—python2.7 - security update
from 0, < 2.7.3-6+deb7u2
—Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to t…
from 0, < 2.7.3~rc1-1
—SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows rem…
from 0, < 2.7.3~rc1-1
—Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces…
from 0, < 2.7.3~rc2-2
—The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x befo…
from 0, < 2.7.2-8
—curl - several
from 0, < 2.7.3~rc1-1
—The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: U…
from 0, < 2.7.1-7
—The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying…
from 0, < 2.7.8-11
—The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows con…
from 0, < 2.7-1
—Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a…
from 0, < 2.7-1