CLSA-2026-1779213441 python3.11: Fix of 11 CVEs

CVE-2026-4224: avoid unbound C recursion in convcontentmodel in pyexpat - CVE-2026-3644: reject control characters in http.cookies.Morsel.update - CVE-2026-0672: reject control characters in http.cookies.Morsel - CVE-2025-8291: check consistency of zip64 end of central directory record -...

CLSA-2026-1776330599 python3.9: Fix of 11 CVEs

CVE-2025-8291: fix zipfile ZIP64 EOCD Locator offset validation - CVE-2025-6069: fix quadratic complexity in HTMLParser - CVE-2025-4516: fix use-after-free in unicode-escape decoder with error handler - CVE-2026-2297: ensure SourcelessFileLoader uses io.opencode - CVE-2026-3479: reject invalid...

Security update for python

This update for python fixes the following issues: CVE-2026-3479: improper resource argument validation in pkgutil.getdata can allow path traversal bsc1259989. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

SUSE-SU-2026:1365-1 Security update for python

This update for python fixes the following issues: - CVE-2026-3479: improper resource argument validation in pkgutil.getdata can allow path traversal bsc1259989...

BIT-PYTHON-2026-3479 pkgutil.get_data() does not enforce documented restrictions

pkgutil.getdata did not validate the resource argument as documented, allowing path traversals...

Linux Distros Unpatched Vulnerability : CVE-2026-3479

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.getdata has the same security model as open. The documentation has be...

EUVD-2026-12940

pkgutil.getdata did not validate the resource argument as documented, allowing path traversals...

CVE-2026-3479

pkgutil.getdata did not validate the resource argument as documented, allowing path traversals...

DEBIAN-CVE-2026-3479

DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.getdata has the same security model as open. The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.getdata did...

PSF-2026-13

DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.getdata has the same security model as open. The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.getdata did...

CVE-2026-3479 pkgutil.get_data() does not enforce documented restrictions

DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.getdata has the same security model as open. The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.getdata did...

PT-2026-26139

Name of the Vulnerable Software and Affected Versions pkgutil affected versions not specified Description The pkgutil.get data function did not properly validate the resource argument, as documented. This allowed for path traversal, potentially enabling unauthorized access to files. Recommendatio...

Permissive List of Allowed Inputs

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the unsafeglobals function that does not block pkgutil.resolvename Python stdlib function. An attacker can...

PickleScan's pkgutil.resolve_name has a universal blocklist bypass

Summary pkgutil.resolvename is a Python stdlib function that resolves any "module:attribute" string to the corresponding Python object at runtime. By using pkgutil.resolvename as the first REDUCE call in a pickle, an attacker can obtain a reference to ANY blocked function e.g., os.system,...

EUVD-2025-32168

Malicious code in bioql PyPI...

Malicious Package

Overview pkgutil-resolve-name is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2025-47891 Malicious code in pkgutil-resolve-name (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 355bf6f2e2ca64d826a7a85321bd48180e7683107611ff321101c5baf3b26e0a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in pkgutil-resolve-name (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 355bf6f2e2ca64d826a7a85321bd48180e7683107611ff321101c5baf3b26e0a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Clean My Mac X removePackageWithID privilege escalation vulnerability

Summary An exploitable privilege escalation vulnerability exists in the helper service of Clean My Mac X, version 4.04, due to improper input validation. An attacker with local access could exploit this vulnerability to modify the file system as root. Tested Versions Clean My Mac X 4.04 Product...