CVE-2026-28356 ReDoS in multipart 1.3.0 - `parse_options_header()`

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parseoptionsheader function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking ReDoS when parsing maliciously crafted HTTP or multipar...

CVE-2026-31958

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

MAL-2026-1342 Malicious code in collectables (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e007c43e26edb912325f1478ec6cd5cd838b5d7e5ae62beedd3baa02638b3dc4 Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

MAL-2026-1341 Malicious code in collects (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fc7f98d0c4c092f4eb4a73240f8c7a5df90717853ee408fefa9eeb09a41d2cae Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID

A flaw was found in pyasn1, a generic ASN.1 library for Python. A remote attacker could exploit this vulnerability by sending a specially crafted RELATIVE-OID with excessive continuation octets. This input validation vulnerability leads to memory exhaustion, resulting in a Denial of Service DoS f...

Linux Distros Unpatched Vulnerability : CVE-2026-27932

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In 1.6.2 and earlier, a resource...

01os (=0.0.14), aa-rag (>=0.4.2 <=0.4.3) +934 more potentially affected by CVE-2026-0847 via nltk (>=2.0.4 <=3.9.2)

nltk PYPI version =2.0.4, =0.4.2, =0.2.3, =0.2.0, =0.0.4, =0.0.1, =0.1.0, =0.1.0, =0.0.9, =0.1.0 and more Source cves: CVE-2026-0847 Source advisory: OSV:PYSEC-2026-98...

CVE-2026-25673 Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. URLField.topython in Django calls urllib.parse.urlsplit, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial o...

joserfc 安全漏洞

Joserfc is a Python library developed by Authlib. Joserfc versions 1.6.2 and earlier have security vulnerabilities. These vulnerabilities stem from the lack of verification or restrictions on the p2c parameter value in the JWE token. This allows unverified attackers to cause denial-of-service...

3d-rcnet (>=0.2.2 <=0.2.3), aa-prepflow (>=0.1.0 <=0.1.1) +683 more potentially affected by CVE-2026-28415 via gradio (>=6.0.0 <=6.4.0)

gradio PYPI version =6.0.0, =0.2.2, =0.1.0, =0.0.3, =0.1.5, =0.1.0, =0.1.0, =0.1.0, =3.3.0, =0.1.4, =0.1.3, =0.1.0, =0.0.1, =0.0.5 and more Source cves: CVE-2026-28415 Source advisory: SNYK:PYTHON-GRADIO-15366398...

CLSA-2026-1772192033 python2: Fix of 2 CVEs

CVE-2026-1299: raise exceptions for malformed input to prevent processing invalid or dangerous headers - CVE-2024-6923: encode newlines in headers and verify headers are sound...

CLSA-2026-1772146735 python: Fix of CVE-2015-20107

CVE-2015-20107: fix shell command injection vulnerability in the mailcap module...

CLSA-2026-1772037700 python: Fix of CVE-2015-20107

CVE-2015-20107: fix shell command injection vulnerability in the mailcap module...

acceldata-o2a (=1.0.0), aglow (>=0.1.0rc3 <=0.1.0rc4) +30 more potentially affected by CVE-2024-56373 via apache-airflow (>=2.0.0 <=2.11.0)

apache-airflow PYPI version =2.0.0, =0.1.0rc3, =0.1.0, =0.6.0, =0.0.1, =0.6.4, =1.0.0, =0.2.0, =2.10.3, =0.3.12, =1.8.0rc2, =4.3.0, =6.0.1 and more Source cves: CVE-2024-56373 Source advisory: SNYK:PYTHON-APACHEAIRFLOW-15339025...

OPENSUSE-SU-2026:10238-1 python311-PyPDF2-2.11.1-4.1 on GA media

These are all security issues fixed in the python311-PyPDF2-2.11.1-4.1 package on the GA media of openSUSE Tumbleweed...

[SECURITY] Fedora 42 Update: python-azure-core-1.38.0-2.fc42

Azure Core shared client library for Python...

Malicious AI

Interesting: Summary: An AI agent of unknown ownership autonomously wrote and published a personalized hit piece about me after I rejected its code, attempting to damage my reputation and shame me into accepting its changes into a mainstream python library. This represents a first-of-its-kind cas...

CLSA-2026-1771499011 python3: Fix of 3 CVEs

CVE-2025-15366: reject control characters in IMAP commands - CVE-2025-15367: reject control characters in POP3 commands - CVE-2026-1299: reject the incorrectly folded headers in "BytesGenerator"...

urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion

A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...

SUSE CVE-2026-26007

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the publickeyfromnumbers or EllipticCurvePublicNumbers.publickey, EllipticCurvePublicNumbers.publickey, loadderpublickey and loadpempublickey functions do not verify that the...