Cpython

This hub aggregates every CVE we track for Cpython, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Cpython.

• CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection7.5May 11, 2026
• CVE-2026-3087shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs7.5Apr 27, 2026
• CVE-2026-6019BaseCookie.js_output() does not neutralize embedded characters6.1Apr 22, 2026
• CVE-2026-5713Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target5.6Apr 14, 2026
• CVE-2026-6100Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure8.7Apr 13, 2026
• CVE-2026-4519webbrowser.open() allows leading dashes in URLs3.3Mar 20, 2026
• CVE-2026-4224Stack overflow parsing XML with deeply nested DTD content models7.5Mar 16, 2026
• CVE-2026-3644Incomplete control character validation in http.cookies7.5Mar 16, 2026
• CVE-2025-13462tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling3.3Mar 12, 2026
• CVE-2026-2297SourcelessFileLoader does not use io.open_code()5.5Mar 4, 2026
• CVE-2026-1299email BytesGenerator header injection due to unquoted newlines7.1Jan 23, 2026
• CVE-2025-12781base64.b64decode() always accepts "+/" characters, despite setting altchars5.3Jan 21, 2026
• CVE-2026-0672Header injection in http.cookies.Morsel7.1Jan 20, 2026
• CVE-2025-15367POP3 command injection in user-controlled commands5.5Jan 20, 2026
• CVE-2025-15366IMAP command injection in user-controlled commands5.5Jan 20, 2026