Python

This hub aggregates every CVE we track for Python, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Python.

• CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection7.5May 11, 2026
• CVE-2026-3087shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs7.5Apr 27, 2026
• CVE-2026-41140Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.45.3Apr 24, 2026
• CVE-2026-6019BaseCookie.js_output() does not neutralize embedded characters6.1Apr 22, 2026
• CVE-2026-4519webbrowser.open() allows leading dashes in URLs3.3Mar 20, 2026
• CVE-2026-4224Stack overflow parsing XML with deeply nested DTD content models7.5Mar 16, 2026
• CVE-2026-3644Incomplete control character validation in http.cookies7.5Mar 16, 2026
• CVE-2025-13462tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling3.3Mar 12, 2026
• CVE-2026-1299email BytesGenerator header injection due to unquoted newlines7.1Jan 23, 2026
• CVE-2025-12781base64.b64decode() always accepts "+/" characters, despite setting altchars5.3Jan 21, 2026
• CVE-2026-0672Header injection in http.cookies.Morsel7.1Jan 20, 2026
• CVE-2025-15367POP3 command injection in user-controlled commands5.5Jan 20, 2026
• CVE-2025-15366IMAP command injection in user-controlled commands5.5Jan 20, 2026
• CVE-2025-15282Header injection via newlines in data URL mediatype7.7Jan 20, 2026
• CVE-2025-11468Folding email comments of unfoldable characters doesn't preserve parenthesis7.5Jan 20, 2026