CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-7210 – The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
https://notcve.org/view.php?id=CVE-2026-7210
11 May 2026 — `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. • https://github.com/python/cpython/issues/149018 • CWE-331: Insufficient Entropy •
CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-6019 – BaseCookie.js_output() does not neutralize embedded characters
https://notcve.org/view.php?id=CVE-2026-6019
22 Apr 2026 — http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. • https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-4786 – Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
https://notcve.org/view.php?id=CVE-2026-4786
13 Apr 2026 — Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details. • https://github.com/python/cpython/issues/148169 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-6100 – Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
https://notcve.org/view.php?id=CVE-2026-6100
13 Apr 2026 — Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during dec... • https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d • CWE-416: Use After Free CWE-787: Out-of-bounds Write •
CVSS: 6.0EPSS: 0%CPEs: 2EXPL: 0CVE-2026-3446 – Base64 decoding stops at first padded quad by default
https://notcve.org/view.php?id=CVE-2026-3446
10 Apr 2026 — When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. • https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.0EPSS: 0%CPEs: 2EXPL: 0CVE-2026-4519 – webbrowser.open() allows leading dashes in URLs
https://notcve.org/view.php?id=CVE-2026-4519
20 Mar 2026 — The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). • https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866 • CWE-20: Improper Input Validation •
CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-3479 – pkgutil.get_data() does not enforce documented restrictions
https://notcve.org/view.php?id=CVE-2026-3479
18 Mar 2026 — pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals. pkgutil.get_data() no validó el argumento de recurso como se documentó, permitiendo recorridos de ruta. DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not... • https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.0EPSS: 0%CPEs: 2EXPL: 0CVE-2026-4224 – Stack overflow parsing XML with deeply nested DTD content models
https://notcve.org/view.php?id=CVE-2026-4224
16 Mar 2026 — When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. • https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a • CWE-674: Uncontrolled Recursion •
CVSS: 6.0EPSS: 0%CPEs: 2EXPL: 0CVE-2026-3644 – Incomplete control character validation in http.cookies
https://notcve.org/view.php?id=CVE-2026-3644
16 Mar 2026 — The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). • https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4 • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •
CVSS: 2.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-13462 – tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling
https://notcve.org/view.php?id=CVE-2025-13462
12 Mar 2026 — The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. El módulo 'tarfile' seguiría aplicando la normalización de bloques AREGTYPE (\x00) a DIRTYPE, incluso al procesar un miembro de múltiples bloques como GNUTYPE_LONGNAME o GNUTYPE_LONGLINK. Esto podría resultar en... • https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •