PT-2026-34527

Summary The extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0...

PT-2026-34538

Name of the Vulnerable Software and Affected Versions Poetry versions prior to 2.3.4 Description The extractall function in src/poetry/utils/helpers.py extracts sdist tarballs without path traversal protection on Python versions where tarfile.data filter is unavailable. This occurs specifically o...

10xscale-agentflow-cli (=0.1.5), admin-api-lib (>=3.2.0 <=4.2.0) +463 more potentially affected by CVE-2026-40347 via python-multipart (>=0.0.10 <=0.0.24)

python-multipart PYPI version =0.0.10, =3.2.0, =0.8.2.4, =0.1.0, =1.0.202504142220, =0.1.0, =0.4.0, =0.1.0, =0.4.0, =0.1.0, =0.4.0, =1.6.21, =0.1.1, =0.1.5 and more Source cves: CVE-2026-40347 Source advisory: OSV:GHSA-MJ87-HWQH-73PJ...

[SECURITY] Fedora 42 Update: uv-0.10.12-1.fc42

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

[SECURITY] Fedora 44 Update: uv-0.11.2-1.fc44

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

EulerOS 2.0 SP10 : python-pip (EulerOS-SA-2026-1347)

According to the versions of the python-pip packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP...

Ubuntu: Security Advisory (USN-8018-2)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Exploit for CVE-2025-4517

CVE-2025-4517 Exploit - WingData HTB NOTES This exploit an...

Ubuntu: Security Advisory (USN-8018-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : Python vulnerabilities (USN-8018-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8018-1 advisory. Denis Ledoux discovered that Python incorrectly parsed email message headers. An...

USN-8018-1 python3.14, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4 vulnerabilities

Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages. This issue only affected python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and...

EulerOS 2.0 SP13 : python-pip (EulerOS-SA-2026-1214)

According to the versions of the python-pip packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP...

AZL-75231 CVE-2025-12781 affecting package python3 3.12.9-9

When passing data to the b64decode, standardb64decode, and urlsafeb64decode functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. Th...

USN-7951-1 python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, python3.14 vulnerability

It was discovered that Python's http.client did not properly handle the Content-Length header in HTTP responses. A malicious server could exploit this to cause Python to allocate excessive memory, leading to a denial of service...

Python DoS Vulnerability (Dec 2025) - Mac OS X

Python is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:python:python";...

USN-7886-1 python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4 vulnerabilities

It was discovered that Python inefficiently handled expanding system environment variables. An attacker could possibly use this issue to cause Python to consume excessive resources, leading to a denial of service. CVE-2025-6075 Caleb Brown discovered that Python incorrectly handled the ZIP64 End ...

OESA-2025-2637 python3 security update

Security Fixes: CPython 3.9 and earlier doesn't disallow configuring an empty list "" for SSLContext.setnpnprotocols which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used see CVE-2024-5535 for OpenSSL. This vulnerability is of low severity d...

Amazon Linux 2 : python-pip, --advisory ALAS2-2025-3023 (ALAS-2025-3023)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-3023 advisory. When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706.Note that upgrading pip to a fixed version for this...

Medium: python3.11-pip

Issue Overview: When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by usin...

Medium: python-pip

Issue Overview: When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by usin...