Python: >> Python >> 3.13.10 Security Vulnerabilities
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
CVSS Score
6.3
EPSS Score
0.008
Published
2026-05-11
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
CVSS Score
6.0
EPSS Score
0.005
Published
2026-04-27
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
CVSS Score
2.1
EPSS Score
0.002
Published
2026-04-22
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
CVSS Score
7.0
EPSS Score
0.002
Published
2026-03-20
When an Expat parser with a registered ElementDeclHandler parses an inline
document type definition containing a deeply nested content model a C stack
overflow occurs.
CVSS Score
6.0
EPSS Score
0.006
Published
2026-03-16
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
CVSS Score
6.0
EPSS Score
0.004
Published
2026-03-16
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
CVSS Score
2.0
EPSS Score
0.002
Published
2026-03-12
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
CVSS Score
6.3
EPSS Score
0.007
Published
2025-12-03
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.
CVSS Score
6.3
EPSS Score
0.015
Published
2025-12-01
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment
variables.
CVSS Score
1.8
EPSS Score
0.001
Published
2025-10-31
Page 1