5.7
CVE-2026-2297
- EPSS 0.2%
- Veröffentlicht 04.03.2026 22:10:43
- Zuletzt bearbeitet 01.05.2026 16:16:30
- Quelle cna@python.org
- CVE-Watchlists
- Unerledigt
SourcelessFileLoader does not use io.open_code()
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPython Software Foundation
≫
Produkt
CPython
Default Statusunaffected
Version
0
Version <
3.13.13
Status
affected
Version
3.14.0
Version <
3.14.4
Status
affected
Version
3.15.0a1
Version <
3.15.0a7
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.101 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cna@python.org | 5.7 | 0 | 0 |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-668 Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
https://github.com/python/cpython/issues/145506
https://github.com/python/cpython/pull/145507
https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e
https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e
https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86
http://www.openwall.com/lists/oss-security/2026/03/05/6
https://github.com/python/cpython/commit/69ddd9bb2cc4bd69b1565647c18659c6a789ccd9
https://github.com/python/cpython/commit/876858c9f65d9ab656c7fa639f268ce7856d89dd