Where
-Infinity
0

Trending

Last week
Last month
Last year

Vendor Risk Score

See how python compares to other vendors in security performance

View Risk Score →

Software

python python
79
python 2.7
77
python imaging library (pillow)
38
python pillow
22
python cpython
17
python urllib3
16
python software foundation python
9
python
8
python package index
3
python requests
3
pythonware python imaging library
3
python http.cookies.morsel
2
python imaging library (pil)
2
python imaplib
2
python keyring
2
python package installer
2
python pymanager
2
python pyxml
2
python setuptools
2
python tarfile
2
python typed ast
2
python urllib.request.datahandler
2
python asyncio.proactoreventloop
1
python beaker
1
python black
1
python black python
1
python feed parser
1
python hpack
1
python json logger
1
python jw.util
1
python openpyxl
1
python pip
1
python pkgutil.get_data
1
python poplib
1
python poplib module
1
python priority library
1
python pybluemonday
1
python python (bz2.bz2decompressor)
1
python python (gzip.gzipfile)
1
python python (lzma.lzmadecompressor)
1
python python (shutil.unpack_archive)
1
python python email (email.bytesgenerator)
1
python python webbrowser module
1
python python-gnupg
1
python rply
1
python software foundation cpython
1
python software foundation plistlib
1
python software foundation setuptools
1
python ssl module
1
python tkvideoplayer
1

oss-sec[oss-security][CVE-2026-8328] CPython: FTP PASV SSRF, ftpcp() does not use actual peer addss, trusts server-supplied PASV host addss

First published (updated )
https://seclists.org/oss-sec/2026/q2/521

Python CPythonFTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address

Risk 26
Severity
5.9
EPSS
0.05%
First published (updated )
CVE-2026-8328

oss-sec[oss-security][CVE-2026-7210] Cpython: The expat and elementte parsers use insufficient entropy for XML hash-flooding protection

First published (updated )
https://seclists.org/oss-sec/2026/q2/483

pip/urllib3urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API

Risk 46
Severity
8.9
First published (updated )
CVE-2026-44432

pip/urllib3urllib3: Sensitive headers forwarded across origins in proxied low-level redirects

Risk 41
Severity
8.2
First published (updated )
CVE-2026-44431
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

pip/pillowPillow: OOB Write with Invalid PSD Tile Extents (Integer Overflow)

Risk 76
Severity
8.6
First published (updated )
CVE-2026-42311

pip/pillowPillow: PDF Parsing Trailer Infinite Loop (DoS)

Risk 32
Severity
5.1
First published (updated )
CVE-2026-42310

pip/pillowPillow: Integer overflow when processing fonts

Risk 32
Severity
5.1
First published (updated )
CVE-2026-42308

pip/pillowPillow: Heap buffer overflow with nested list coordinates

Risk 32
Severity
5.1
First published (updated )
CVE-2026-42309

Python Pythonshutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

Risk 46
Severity
6
First published (updated )
CVE-2026-3087
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Python http.cookies.MorselBaseCookie.js_output() does not neutralize embedded characters

Risk 27
Severity
2.1
EPSS
0.06%
First published (updated )
CVE-2026-6019

Python asyncio.ProactorEventLoopOut-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes

Risk 65
Severity
8.8
First published (updated )
CVE-2026-3298

oss-sec[oss-security][CVE-2026-5713] CPython: Out-of-bounds ad/write during mote debugging when connecting to malicious target

First published (updated )
https://seclists.org/oss-sec/2026/q2/139

Python CPythonOut-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target

Risk 32
Severity
5.3
EPSS
0.02%
First published (updated )
CVE-2026-5713

oss-sec[oss-security][CVE-2026-4786] CPython: Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()

First published (updated )
https://seclists.org/oss-sec/2026/q2/123
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Python CPythonMitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be by…

Risk 33
Severity
7
First published (updated )
REDHAT-BUG-2458049

pip/pillowPillow is vulnerable to a FITS GZIP decompression bomb

Risk 47
Severity
8.7
First published (updated )
CVE-2026-40192

Python Python (lzma.LZMADecompressor)Use After Free

Risk 33
Severity
7
First published (updated )
REDHAT-BUG-2457932

oss-sec[oss-security][CVE-2026-6100] CPython: Use-after-fe in lzma.LZMADecompssor, bz2.BZ2Decompssor, and gzip.GzipFile after -use under memory pssu

First published (updated )
https://seclists.org/oss-sec/2026/q2/122

oss-secCPython [CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF

First published (updated )
https://seclists.org/oss-sec/2026/q2/98
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

oss-sec[oss-security][CVE-2026-5271] Python install manager script aliases search path hijack

First published (updated )
https://seclists.org/oss-sec/2026/q2/4

pypi/pymanagerPossible to hijack modules in current working directory

Risk 52
Severity
5.6
EPSS
0.01%
First published (updated )
CVE-2026-5271

pypi/requestsRequests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

Risk 32
Severity
5.5
First published (updated )
CVE-2026-25645

oss-secFwd: [CPython][CVE-2026-4519] webbrowser.open() API allows leading dashes

First published (updated )
https://seclists.org/oss-sec/2026/q1/355

Python Python webbrowser moduleThe webbrowser.open() API would accept leading dashes in the URL which could be handled as command …

Risk 33
Severity
7
First published (updated )
REDHAT-BUG-2449649
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Python Pythonwebbrowser.open() allows leading dashes in URLs

Risk 40
Severity
7
EPSS
0.03%
First published (updated )
CVE-2026-4519

Python pkgutil.get_datapkgutil.get_data() does not enforce documented restrictions

Risk 0
Severity
EPSS
0.01%
First published (updated )
CVE-2026-3479

Python CPythonStack overflow parsing XML with deeply nested DTD content models

Risk 27
Severity
6
EPSS
0.03%
First published (updated )
CVE-2026-4224

Python CPythonIncomplete control character validation in http.cookies

Risk 32
Severity
6
EPSS
0.11%
First published (updated )
CVE-2026-3644

pip/blackBlack: Arbitrary file writes from unsanitized user input in cache file name

Risk 33
Severity
8.7
EPSS
0.02%
First published (updated )
CVE-2026-32274
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203