BIT-PYTHON-2025-15282 Header injection via newlines in data URL mediatype

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...

BIT-PYTHON-MIN-2025-12781 base64.b64decode() always accepts "+/" characters, despite setting altchars

When passing data to the b64decode, standardb64decode, and urlsafeb64decode functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. Th...

urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion

A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...

urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion

A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...

MAL-2026-492 Malicious code in tableates (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c69d9a3e244227f4e4146b60829ead907656c47989b3b83e1e5f56a2c06064ff Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

OESA-2026-1233 python-urllib3 security update

HTTP library with thread-safe connection pooling, file post support, sanity friendly, and more. Security Fixes: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious...

MAL-2026-490 Malicious code in tabletes (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b0e46bf0a52fee42a54e122a61b6da920b8d08234f109ab1da45c7f6c7042ef2 Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

dzbanek-langflow-base (>=0.6.0 <=0.6.1), langflow-base (>=0.7.0 <=0.8.0rc2) +1 more potentially affected by CVE-2026-0770 via lfx (>=0.1.13 <=0.3.4)

lfx PYPI version =0.1.13, =0.6.0, =0.7.0, =0.8.0rc2 - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-0770 Source advisory: SNYK:PYTHON-LFX-15091579...

CVE-2025-12781

A flaw was found in the base64 module in the Python standard library. The b64decode, standardb64decode and urlsafeb64decode functions will always accept the '+' and '/' characters even when an alternative base64 alphabet is specified via the altchars parameter that excludes them. This input...

MAL-2026-450 Malicious code in sympy-dev (PyPI)

Package downloads and executes code from remote servers, indicating malicious behavior. Multiple files and IPs involved. Package impersonates popular sympy package...

SUSE CVE-2025-15282

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...

PSF-2026-7

When passing data to the b64decode, standardb64decode, and urlsafeb64decode functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. Th...

CVE-2025-15282

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...

UBUNTU-CVE-2025-15282

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the http.cookies.Morsel field. An attacker can manipulate HTTP responses by injecting arbitrary headers through user-controlled cookie values or parameters. Remediation A fix was pushed into the master branch but not...

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the urllib.request.DataHandler. An attacker can manipulate HTTP headers by injecting newline characters in the mediatype portion of a data URL, to alter request behavior or bypass security controls. Remediation A fix...

aegis-game (>=2.0.0 <=2.9.9), bittrade-binance-websocket (>=0.2.3 <=0.4.8) +28 more potentially affected by CVE-2025-66902 via websocket-server (>=0.4.0 <=0.6.4)

websocket-server PYPI version =0.4.0, =2.0.0, =0.2.3, =0.1.7, =0.2.0, =0.1.0, =0.1.1, =0.1.0, =0.7.0, =0.0.11, =0.2.0, =0.2.39 and more Source cves: CVE-2025-66902 Source advisory: SNYK:PYTHON-WEBSOCKETSERVER-15046798...

PLY security vulnerabilities

PLY is a Python library developed by B07’s individual developers. Version 3.11 of PLY contains a security vulnerability. This vulnerability stems from the unvalidated deserialization of pickle files via the picklefile parameter in the yacc function, which could lead to remote code execution...

CVE-2025-56005

An undocumented and unsafe feature in the PLY Python Lex-Yacc library 3.11 allows Remote Code Execution RCE via the picklefile parameter in the yacc function. This parameter accepts a .pkl file that is deserialized with pickle.load without validation. Because pickle allows execution of embedded...

Updated python-urllib3 packages fix security vulnerabilities

urllib3 allows an unbounded number of links in the decompression chain. CVE-2025-66418 urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects streaming API. CVE-2026-21441...