RLSA-2026:19177 Important: python3.12 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

python-jwcrypto security update

An update is available for python-jwcrypto. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Python is an interpreted, interactive, object-oriented programming...

SUSE-SU-2026:21914-1 Security update for python-idna

This update for python-idna fixes the following issue - CVE-2026-45409: specially crafted inputs to idna.encode can bypass earlier security fix bsc1265413...

EUVD-2026-32918

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

CVE-2026-48526

PyJWT (Python) prior to 2.13.0 did not validate the use of JSON Web Keys in HMAC verification, allowing an attacker to use the issuer public key as the HMAC secret during token verification. This could enable forging tokens when mixing RS/EC/JWK and HS algorithms. The issue is fixed in PyJWT 2.13...

EUVD-2026-32917

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the...

CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

EUVD-2026-32916

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

SUSE-SU-2026:21873-1 Security update for python-idna

This update for python-idna fixes the following issue - CVE-2026-45409: specially crafted inputs to idna.encode can bypass earlier security fix bsc1265413...

CVE-2026-48522

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no...

CVE-2026-45017

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and...

CVE-2026-45017 Python Liquid: Absolute paths escape filesystem loader search path

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and...

CVE-2026-45017 Python Liquid: Absolute paths escape filesystem loader search path

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and...

CVE-2026-45017

CVE-2026-45017 affects the Python Liquid engine. Before 2.2.0, FileSystemLoader and CachingFileSystemLoader fail to guard against reading files outside the search path when given absolute paths, enabling a malicious template author to load and render arbitrary files via {% include %} and {% rende...

EUVD-2026-32907

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and...

CVE-2026-44723

Vowpal Wabbit is a machine learning system. The workflow .github/workflows/pythonchecks.yml embeds $ github.event.pullrequest.title directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script...

OPENSUSE-SU-2026:20839-1 Security update for python-pytest-html

This update for python-pytest-html fixes the following issues: Changes in python-pytest-html: - CVE-2026-9277: shell-quote: improper escaping of newlines bsc1266254 Update the vendored shell-quote to 1.8.4 nodemodules...

OPENSUSE-SU-2026:20827-1 Security update for python-mistune

This update for python-mistune fixes the following issues - CVE-2026-33079: ReDoS in LINKTITLERE can lead to denial of service via a crafted Markdown bsc1264347. - CVE-2026-33441: processing of malformed reference links can lead to excessive resource consumption and denial of service bsc1264752. ...

Malicious code in my-test-package-2025-xyz (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a2f3ab0a3c7ef9009c99575d9dd051c4a97575435cabf5d3a4c223f53bc47b89 During installation, the package opens a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

MAL-2026-4837 Malicious code in my-test-package-2025-xyz (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a2f3ab0a3c7ef9009c99575d9dd051c4a97575435cabf5d3a4c223f53bc47b89 During installation, the package opens a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...