- EPSS -
- Veröffentlicht 09.07.2026 17:16:58
- Zuletzt bearbeitet 09.07.2026 18:16:51
The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.
CVE-2026-4360
- EPSS 0.24%
- Veröffentlicht 30.06.2026 14:45:35
- Zuletzt bearbeitet 09.07.2026 02:40:39
In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing...
CVE-2026-11972
- EPSS 0.43%
- Veröffentlicht 23.06.2026 22:02:45
- Zuletzt bearbeitet 30.06.2026 16:16:43
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
CVE-2026-0864
- EPSS 0.13%
- Veröffentlicht 23.06.2026 18:17:41
- Zuletzt bearbeitet 25.06.2026 19:51:26
When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.
CVE-2026-11940
- EPSS 0.61%
- Veröffentlicht 23.06.2026 16:04:17
- Zuletzt bearbeitet 30.06.2026 16:16:35
tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself. The extraction fallback validated the symlink at it's archived loc...
CVE-2026-12003
- EPSS 0.14%
- Veröffentlicht 16.06.2026 15:18:42
- Zuletzt bearbeitet 23.06.2026 18:17:41
To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relat...
CVE-2026-9669
- EPSS 0.43%
- Veröffentlicht 08.06.2026 22:01:15
- Zuletzt bearbeitet 07.07.2026 18:16:40
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and pe...
CVE-2026-7774
- EPSS 0.62%
- Veröffentlicht 04.06.2026 14:21:23
- Zuletzt bearbeitet 07.07.2026 18:16:40
tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfil...
CVE-2026-3276
- EPSS 0.49%
- Veröffentlicht 03.06.2026 14:29:39
- Zuletzt bearbeitet 16.06.2026 15:16:39
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
CVE-2026-8328
- EPSS 0.48%
- Veröffentlicht 13.05.2026 20:14:33
- Zuletzt bearbeitet 30.06.2026 16:16:56
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directl...