Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the http.cookies.Morsel.update function's |= operator and unpickling paths, http.cookies.BaseCookie.jsoutput function. An attacker can inject control characters into cookies by supplying...

CVE-2026-27962

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

CVE-2026-28490

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption JWE RSA15 key management algorithm. Authlib registe...

CVE-2026-28498

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect OIDC ID Tokens. Specifically, the internal hash verification logic verifyhash...

EulerOS Virtualization 2.12.1 : python-urllib3 (EulerOS-SA-2026-1459)

According to the versions of the python-urllib3 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links ...

abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +694 more potentially affected by CVE-2025-14287 via mlflow (>=3.0.0rc2 <=3.6.0rc0)

mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: CVE-2025-14287 Source advisory: SNYK:PYTHON-MLFLOW-15674468...

abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +751 more potentially affected by CVE-2025-14287 via mlflow-skinny (>=3.0.0 <=3.8.0)

mlflow-skinny PYPI version =3.0.0, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: CVE-2025-14287 Source advisory: SNYK:PYTHON-MLFLOWSKINNY-16698158...

CLSA-2026-1773480241 python: Fix of CVE-2025-12084

CVE-2025-12084: fix quadratic algorithm when building nested XML elements with appendChild...

CLSA-2026-1773481701 python3.9: Fix of CVE-2025-6075

CVE-2025-6075: fix quadratic complexity in os.path.expandvars...

article-extract (>=0.1.2 <=0.1.3), athlinks-races (>=0.0.4 <=0.0.7) +51 more potentially affected by unknown CVE via scrapy (>=1.4.0 <=2.14.1)

scrapy PYPI version =1.4.0, =0.1.2, =0.0.4, =3.4.0, =2.8.3, =0.0.1.dev1, =1.3.0, =1.2.1.20160901, =0.2.0, =0.0.5, =0.2.4, =0.0.2, =0.3.0a0, =0.0.20, =0.0.34 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-SCRAPY-15624315...

CVE-2026-32597

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting...

OPENSUSE-SU-2026:10332-1 python311-PyPDF2-2.11.1-7.1 on GA media

These are all security issues fixed in the python311-PyPDF2-2.11.1-7.1 package on the GA media of openSUSE Tumbleweed...

EUVD-2026-11607

multipart vulnerable to ReDoS in parseoptionsheader...

CVE-2026-28356

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parseoptionsheader function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking ReDoS when parsing maliciously crafted HTTP or multipar...

CVE-2026-28356

The CVE affects the Python library multipart (fast multipart/form-data parser). Before versions 1.2.2, 1.3.1, and 1.4.0-dev, parse_options_header() uses a regex with an ambiguous alternation that can cause exponential backtracking (ReDoS) when processing malicious HTTP headers or multipart/form-d...

CVE-2026-28356 ReDoS in multipart 1.3.0 - `parse_options_header()`

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parseoptionsheader function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking ReDoS when parsing maliciously crafted HTTP or multipar...

CVE-2026-28356 ReDoS in multipart 1.3.0 - `parse_options_header()`

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parseoptionsheader function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking ReDoS when parsing maliciously crafted HTTP or multipar...

CVE-2026-31958

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

MAL-2026-1342 Malicious code in collectables (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e007c43e26edb912325f1478ec6cd5cd838b5d7e5ae62beedd3baa02638b3dc4 Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

MAL-2026-1341 Malicious code in collects (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fc7f98d0c4c092f4eb4a73240f8c7a5df90717853ee408fefa9eeb09a41d2cae Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...