770 matches found
aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
A decompression based denial of service flaw has been discovered in the AIOHTTP python library. Library versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could...
urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion
A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...
urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion
A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...
urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion
A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...
BIT-PYTHON-2025-15282 Header injection via newlines in data URL mediatype
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...
BIT-PYTHON-MIN-2025-12781 base64.b64decode() always accepts "+/" characters, despite setting altchars
When passing data to the b64decode, standardb64decode, and urlsafeb64decode functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. Th...
urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion
A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...
urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion
A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...
MAL-2026-492 Malicious code in tableates (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 c69d9a3e244227f4e4146b60829ead907656c47989b3b83e1e5f56a2c06064ff Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...
OESA-2026-1233 python-urllib3 security update
HTTP library with thread-safe connection pooling, file post support, sanity friendly, and more. Security Fixes: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious...
MAL-2026-490 Malicious code in tabletes (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 b0e46bf0a52fee42a54e122a61b6da920b8d08234f109ab1da45c7f6c7042ef2 Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...
dzbanek-langflow-base (>=0.6.0 <=0.6.1), langflow-base (>=0.7.0 <=0.8.0rc2) +1 more potentially affected by CVE-2026-0770 via lfx (>=0.1.13 <=0.3.4)
lfx PYPI version =0.1.13, =0.6.0, =0.7.0, =0.8.0rc2 - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-0770 Source advisory: SNYK:PYTHON-LFX-15091579...
CVE-2025-12781
A flaw was found in the base64 module in the Python standard library. The b64decode, standardb64decode and urlsafeb64decode functions will always accept the '+' and '/' characters even when an alternative base64 alphabet is specified via the altchars parameter that excludes them. This input...
MAL-2026-450 Malicious code in sympy-dev (PyPI)
Package downloads and executes code from remote servers, indicating malicious behavior. Multiple files and IPs involved. Package impersonates popular sympy package...
SUSE CVE-2025-15282
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...
PSF-2026-7
When passing data to the b64decode, standardb64decode, and urlsafeb64decode functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. Th...
CVE-2025-15282
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...
UBUNTU-CVE-2025-15282
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...
CRLF Injection
Overview Affected versions of this package are vulnerable to CRLF Injection via the http.cookies.Morsel field. An attacker can manipulate HTTP responses by injecting arbitrary headers through user-controlled cookie values or parameters. Remediation A fix was pushed into the master branch but not...
CRLF Injection
Overview Affected versions of this package are vulnerable to CRLF Injection via the urllib.request.DataHandler. An attacker can manipulate HTTP headers by injecting newline characters in the mediatype portion of a data URL, to alter request behavior or bypass security controls. Remediation A fix...