CRITICAL9.8CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection from 0
CRITICAL9.8CVE-2025-13462tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling from 0, < 3.13.5-2+deb13u1
CRITICAL9.4Arbitrary writes via tarfile realpath overflow
from 0, < 3.13.4-1
HIGH7.8Virtual environment (venv) activation scripts don't quote paths
from 0, < 3.13.1-1
HIGH7.5Stack overflow parsing XML with deeply nested DTD content models
from 0, < 3.13.5-2+deb13u2
HIGH7.5Incomplete control character validation in http.cookies
from 0, < 3.13.5-2+deb13u2
HIGH7.5Python-Markdown has an Uncaught Exception
from 0, < 3.13.4-1
HIGH7.5Excessive read buffering DoS in http.client
from 0, < 3.13.5-2+deb13u1
HIGH7.5Tarfile infinite loop during parsing with negative member offset
from 0, < 3.13.5-2+deb13u1
HIGH7.5Tarfile extracts filtered members when errorlevel=0
from 0, < 3.13.4-1
HIGH7.5Extraction filter bypass for linking outside extraction directory
from 0, < 3.13.4-1
HIGH7.5Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory
from 0, < 3.13.4-1
HIGH7.5Regular-expression DoS when parsing TarFile headers
from 0, < 3.13.0~rc2-1
HIGH7.5Quadratic complexity parsing cookies with backslashes
from 0, < 3.13.0~rc2-1
MEDIUM6.1BaseCookie.js_output() does not neutralize embedded characters
from 0, < 3.13.5-2+deb13u2
MEDIUM5.5Out-of-memory when loading Plist
from 0, < 3.13.5-2+deb13u1
MEDIUM5.5Quadratic complexity in os.path.expandvars() with user-controlled template
from 0, < 3.13.5-2+deb13u1
MEDIUM5.5Email header injection due to unquoted newlines
from 0, < 3.13.0~rc2-1
MEDIUM5.3base64.b64decode() always accepts "+/" characters, despite setting altchars
from 0
MEDIUM5.3Quadratic complexity in node ID cache clearing
from 0, < 3.13.5-2+deb13u1
MEDIUM5.3Bypass extraction filter to modify file metadata outside extraction directory
from 0, < 3.13.4-1
MEDIUM4.3ZIP64 End of Central Directory (EOCD) Locator record offset not checked
from 0, < 3.13.5-2+deb13u1
MEDIUM4.3HTMLParser quadratic complexity when processing malformed inputs
from 0, < 3.13.5-2+deb13u1
LOW3.3webbrowser.open() allows leading dashes in URLs
from 0, < 3.13.5-2+deb13u2
—bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow
from 0
—tarfile.data_filter path traversal bypass allows writing outside the extraction directory
from 0
—Potential DoS via quadratic complexity in unicodedata.normalize()
from 0
—FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
from 0
—Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
from 0
—Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
from 0, < 3.13.5-2+deb13u2
—Base64 decoding stops at first padded quad by default
from 0, < 3.13.5-2+deb13u2
—HTTP client proxy tunnel headers not validated for CR/LF
from 0
—pkgutil.get_data() does not enforce documented restrictions
from 0
—SourcelessFileLoader does not use io.open_code()
from 0, < 3.13.5-2+deb13u1
—email BytesGenerator header injection due to unquoted newlines
from 0, < 3.13.5-2+deb13u1
—wsgiref.headers.Headers allows header newline injection
from 0, < 3.13.5-2+deb13u1
—Header injection in http.cookies.Morsel
from 0, < 3.13.5-2+deb13u1
—POP3 command injection in user-controlled commands
from 0
—IMAP command injection in user-controlled commands
from 0
—Header injection via newlines in data URL mediatype
from 0, < 3.13.5-2+deb13u1
—python3.9 - security update
from 0, < 3.13.5-2+deb13u1
—Use-after-free in "unicode_escape" decoder with error handler
from 0, < 3.13.3-4
—Mishandling of comma during folding and unicode-encoding of email headers
from 0, < 3.13.0~b1-1
—URL parser allowed square brackets in domain names
from 0, < 3.13.2-1
—Unbounded memory buffering in SelectorSocketTransport.writelines()
from 0, < 3.13.1-2
—Infinite loop when iterating over zip archive entry names from zipfile.Path
from 0, < 3.13.0~rc2-1