CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-61912 – python-ldap Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination
https://notcve.org/view.php?id=CVE-2025-61912
10 Oct 2025 — python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue... • https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f • CWE-116: Improper Encoding or Escaping of Output CWE-170: Improper Null Termination •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-61911 – python-ldap has sanitization bypass in ldap.filter.escape_filter_chars
https://notcve.org/view.php?id=CVE-2025-61911
10 Oct 2025 — python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict` is supplied as the `assertion_value` parameter, and the non-default `escape_mode=1` is configured. The method `ldap.filter.escape_filter_chars` supports 3 different escaping modes. `escape_mode=0` (default) and `escape_mode=2` happen to raise exceptions w... • https://github.com/python-ldap/python-ldap/commit/3957526fb1852e84b90f423d9fef34c7af25b85a • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 2.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46656
https://notcve.org/view.php?id=CVE-2025-46656
26 Apr 2025 — python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption. • https://github.com/matthewwithanm/python-markdownify/compare/0.14.0...0.14.1 • CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2024-50649
https://notcve.org/view.php?id=CVE-2024-50649
15 Nov 2024 — The user avatar upload function in python_book V1.0 has an arbitrary file upload vulnerability. • https://github.com/Yllxx03/CVE/blob/main/python_book/FileUpload.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50650
https://notcve.org/view.php?id=CVE-2024-50650
15 Nov 2024 — python_book V1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter. • https://github.com/Yllxx03/CVE/blob/main/python_book/BrokenAccessControl.md • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-33663 – python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats
https://notcve.org/view.php?id=CVE-2024-33663
25 Apr 2024 — python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. python-jose hasta 3.3.0 tiene confusión de algoritmos con claves OpenSSH ECDSA y otros formatos de claves. Esto es similar a CVE-2022-29217. An update that fixes one vulnerability is now available. This update for python-python-jose fixes the following issues. • https://github.com/mpdavis/python-jose/issues/346 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-33664 – openSUSE Security Advisory - openSUSE-SU-2024:0149-1
https://notcve.org/view.php?id=CVE-2024-33664
25 Apr 2024 — python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319. python-jose hasta la versión 3.3.0 permite a los atacantes provocar una denegación de servicio (consumo de recursos) durante una decodificación a través de un token JSON Web Encryption (JWE) manipulado con una alta relación de compresión, también conocido como una "bomba... • https://github.com/mpdavis/python-jose/issues/344 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-50782 – Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659
https://notcve.org/view.php?id=CVE-2023-50782
05 Feb 2024 — A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. Se encontró una falla en el paquete python-cryptography. Este problema puede permitir que un atacante remoto descifre mensajes capturados en servidores TLS que utilizan intercambios de claves RSA, lo que puede provocar la exposición de datos confidenciales o sensibles. Hubert Kario dis... • https://access.redhat.com/security/cve/CVE-2023-50782 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-6507 – Groups not dropped before running subprocess when using empty 'extra_groups' parameter
https://notcve.org/view.php?id=CVE-2023-6507
08 Dec 2023 — An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. Thi... • https://github.com/python/cpython/commit/10e9bb13b8dcaa414645b9bd10718d8f7179e82b • CWE-269: Improper Privilege Management •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2023-40217 – python: TLS handshake bypass
https://notcve.org/view.php?id=CVE-2023-40217
25 Aug 2023 — An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This da... • https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html • CWE-305: Authentication Bypass by Primary Weakness •