CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0CVE-2026-2297 – SourcelessFileLoader does not use io.open_code()
https://notcve.org/view.php?id=CVE-2026-2297
04 Mar 2026 — The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. El gancho de importación en CPython que maneja los archivos *.pyc heredados (SourcelessFileLoader) es manejado incorrectamente en FileLoader (una clase base) y por lo tanto no usa io.open_code() para leer los archivos .pyc. Los manejadores de sys.audit par... • https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0CVE-2026-1299 – email BytesGenerator header injection due to unquoted newlines
https://notcve.org/view.php?id=CVE-2026-1299
23 Jan 2026 — The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". These are all security issues fixed in the python314-3.14.3-1.1 package on the GA media of openSUSE Tumbleweed. • https://cve.org/CVERecord?id=CVE-2024-6923 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-12781 – base64.b64decode() always accepts "+/" characters, despite setting altchars
https://notcve.org/view.php?id=CVE-2025-12781
21 Jan 2026 — When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the pos... • https://github.com/python/cpython/issues/125346 • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-0672 – Header injection in http.cookies.Morsel
https://notcve.org/view.php?id=CVE-2026-0672
20 Jan 2026 — When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages. This issue only affected python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 pack... • https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-15282 – Header injection via newlines in data URL mediatype
https://notcve.org/view.php?id=CVE-2025-15282
20 Jan 2026 — User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages. This issue only affected python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. Jacob Walls, Shai Berger, and Natalia Bidart discovered that Python in... • https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2026-0865 – wsgiref.headers.Headers allows header newline injection
https://notcve.org/view.php?id=CVE-2026-0865
20 Jan 2026 — User-controlled header names and values containing newlines can allow injecting HTTP headers. Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages. This issue only affected python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. Jacob Walls, Shai Berger, and Natalia Bidart discovered that Python inefficiently parsed XML input with qua... • https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-11468 – Folding email comments of unfoldable characters doesn't preserve parenthesis
https://notcve.org/view.php?id=CVE-2025-11468
20 Jan 2026 — When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages. This issue only affected python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, p... • https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-12084 – Quadratic complexity in node ID cache clearing
https://notcve.org/view.php?id=CVE-2025-12084
03 Dec 2025 — When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. This update for python312 fixes the following issues. Quadratic complexity when building nested elements using 'xml.dom.minidom' methods that depend on '_clear_id_cache' can lead to availability issues when building excessively nested documents. Use of 'Content-Length' by default when... • https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4 • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-13837 – Out-of-memory when loading Plist
https://notcve.org/view.php?id=CVE-2025-13837
01 Dec 2025 — When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues This update for python312 fixes the following issues. Quadratic complexity when building nested elements using 'xml.dom.minidom' methods that depend on '_clear_id_cache' can lead to availability issues when building excessively nested documents. Use of 'Content-Length' by default when reading an HTTP response with no read amount specified can lead to OOM issue... • https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-13836 – Excessive read buffering DoS in http.client
https://notcve.org/view.php?id=CVE-2025-13836
01 Dec 2025 — When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. This update for python312 fixes the following issues. Quadratic complexity when building nested elements using 'xml.dom.minidom' methods that depend on '_clear_id_cache' can lead to availability issues when building excessively nested documents. Use o... • https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155 • CWE-400: Uncontrolled Resource Consumption •