RHEL 9 : python3.11 (RHSA-2026:14652)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14652 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

RHEL 9 : python3.11 (RHSA-2026:14653)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14653 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

CLSA-2026-1778087756 python3: Fix of 2 CVEs

CVE-2026-4519: reject leading dashes in webbrowser URLs to block command-line option injection via webbrowser.open - CVE-2026-4786: validate the post-substitution URL in webbrowser UnixBrowser.open so that "%action" cannot smuggle a dash-prefixed flag past the CVE-2026-4519 dash-prefix check...

Security update for python3

This update for python3 fixes the following issues: CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to misinterpretation of tar archives bsc1259611. CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF bsc1261969...

SUSE-SU-2026:1715-1 Security update for python3

This update for python3 fixes the following issues: - CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to misinterpretation of tar archives bsc1259611. - CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF bsc1261969. -...

CLSA-2026-1778000974 python3: Fix of CVE-2026-4519

CVE-2026-4519: reject leading dashes in webbrowser URLs to prevent CLI option injection in pydoc/subprocess...

CLSA-2026-1778015238 python: Fix of CVE-2026-4519

CVE-2026-4519: reject leading dashes in webbrowser URLs that could be treated as command-line options by external browsers; also close a %action-substitution bypass of the check in UnixBrowser.open...

CLSA-2026-1777998709 python2: Fix of 3 CVEs

CVE-2025-8194: validate that tarfile member offsets are non-negative to prevent infinite loop / DoS during parsing of malicious tar archives - CVE-2026-4519: reject URLs with leading dashes in webbrowser.open to prevent injection of command-line options into spawned browser process -...

Important: Red Hat Security Advisory: python3.11 security update

An update for python3.11 is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API

A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...

CLSA-2026-1777946894 Fix CVE(s): CVE-2022-0391, CVE-2022-45061, CVE-2024-7592, CVE-2026-4519

SECURITY UPDATE: URL parsing accepts ASCII tab/CR/LF URL smuggling - debian/patches/CVE-2022-0391.patch: sanitise tab, CR, LF anywhere in URL/scheme inside urlsplit before cache lookup, plus regression test in Lib/urlparse.py, Lib/test/testurlparse.py. - CVE-2022-0391 SECURITY UPDATE: Quadratic...

CLSA-2026-1777946871 python: Fix of CVE-2026-4519

CVE-2026-4519: reject leading dashes in webbrowser URLs that could be treated as command-line options by external browsers; also close a %action-substitution bypass of the check in UnixBrowser.open...

CLSA-2026-1777946712 python: Fix of CVE-2026-4519

CVE-2026-4519: reject leading dashes in webbrowser URLs that could be treated as command-line options by external browsers; also close a %action-substitution bypass of the check in UnixBrowser.open...

CLSA-2026-1777944317 Fix CVE(s): CVE-2025-8194, CVE-2026-4519, CVE-2026-4786

SECURITY UPDATE: tarfile DoS via negative member offsets - debian/patches/CVE-2025-8194.patch: validate that member offsets are non-negative in Lib/tarfile.py. - CVE-2025-8194 SECURITY UPDATE: webbrowser.open accepts URLs with leading dashes - debian/patches/CVE-2026-4519-CVE-2026-4786.patch:...

CLSA-2026-1777944042 Fix CVE(s): CVE-2025-8194, CVE-2026-4519, CVE-2026-4786

SECURITY UPDATE: tarfile DoS via negative member offsets - debian/patches/CVE-2025-8194.patch: validate that member offsets are non-negative in Lib/tarfile.py. - CVE-2025-8194 SECURITY UPDATE: webbrowser.open accepts URLs with leading dashes - debian/patches/CVE-2026-4519-CVE-2026-4786.patch:...

CLSA-2026-1777891107 python3.11: Fix of CVE-2026-4786

CVE-2026-4786: fix webbrowser %action substitution bypass of the dash-prefix safety check by validating the post-substitution URL and expanding %action before %s in UnixBrowser argument assembly...

CLSA-2026-1777883384 python3.11: Fix of CVE-2026-4786

CVE-2026-4786: fix webbrowser %action substitution bypass of dash-prefix check by validating url after %action expansion and reordering replace calls so the dash-prefix check sees the final argument...

MiracleLinux 9 : python3.12-3.12.12-4.el9_7.3 (AXSA:2026-519:12)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-519:12 advisory. python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules CVE-2026-6100 python: cpython: Python:...

MiracleLinux 8 : python3.11-3.11.13-7.el8_10 (AXSA:2026-522:10)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-522:10 advisory. python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules CVE-2026-6100 python: cpython: Python:...

MiracleLinux 9 : python3.11-3.11.13-5.3.el9_7 (AXSA:2026-521:09)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-521:09 advisory. python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules CVE-2026-6100 python: cpython: Python:...