PSF-2026-7

When passing data to the b64decode, standardb64decode, and urlsafeb64decode functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. Th...

CVE-2025-15282

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...

UBUNTU-CVE-2025-15282

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the http.cookies.Morsel field. An attacker can manipulate HTTP responses by injecting arbitrary headers through user-controlled cookie values or parameters. Remediation A fix was pushed into the master branch but not...

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the urllib.request.DataHandler. An attacker can manipulate HTTP headers by injecting newline characters in the mediatype portion of a data URL, to alter request behavior or bypass security controls. Remediation A fix...

aegis-game (>=2.0.0 <=2.9.9), bittrade-binance-websocket (>=0.2.3 <=0.4.8) +28 more potentially affected by CVE-2025-66902 via websocket-server (>=0.4.0 <=0.6.4)

websocket-server PYPI version =0.4.0, =2.0.0, =0.2.3, =0.1.7, =0.2.0, =0.1.0, =0.1.1, =0.1.0, =0.7.0, =0.0.11, =0.2.0, =0.2.39 and more Source cves: CVE-2025-66902 Source advisory: SNYK:PYTHON-WEBSOCKETSERVER-15046798...

PLY security vulnerabilities

PLY is a Python library developed by B07’s individual developers. Version 3.11 of PLY contains a security vulnerability. This vulnerability stems from the unvalidated deserialization of pickle files via the picklefile parameter in the yacc function, which could lead to remote code execution...

CVE-2025-56005

An undocumented and unsafe feature in the PLY Python Lex-Yacc library 3.11 allows Remote Code Execution RCE via the picklefile parameter in the yacc function. This parameter accepts a .pkl file that is deserialized with pickle.load without validation. Because pickle allows execution of embedded...

Updated python-urllib3 packages fix security vulnerabilities

urllib3 allows an unbounded number of links in the decompression chain. CVE-2025-66418 urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects streaming API. CVE-2026-21441...

0lever-utils (>=0.0.2 <=0.0.7), a2grunnerp (>=0.1.0 <=0.1.8) +755 more potentially affected by CVE-2026-23490 via pyasn1 (>=0.1.7 <=0.6.1)

pyasn1 PYPI version =0.1.7, =0.0.2, =0.1.0, =0.4.0, =0.4.0, =0.1.1, =0.0.5, =0.4.0, =0.0.2, =0.87.2.dev9, =0.30.1, =0.1.0.dev19, =1.3.0, =0.1.0, =0.1.3 and more Source cves: CVE-2026-23490 Source advisory: SNYK:PYTHON-PYASN1-15032639...

apetest (>=0.1.0 <=0.1.1), mccole (>=0.2.0 <=5.3.0) potentially affected by CVE-2025-15104 via html5validator (>=0.3.3 <=0.4.2)

html5validator PYPI version =0.3.3, =0.1.0, =0.2.0, =5.3.0 Source cves: CVE-2025-15104 Source advisory: SNYK:PYTHON-HTML5VALIDATOR-15010792...

afipcaeqrdecode (=0.0.15), afw (>=0.0.6 <=0.0.21) +209 more potentially affected by CVE-2026-23949 via jaraco-context (>=5.3.0 <=6.0.2)

jaraco-context PYPI version =5.3.0, =0.0.6, =0.1.0, =0.1.23, =0.0.1, =0.9.5, =1.0.5, =0.1.6, =0.1.0, =0.0.2, =0.1.2, =1.0.1, =1.0.1.9 - azvaultcopy =1.0.0b1 and more Source cves: CVE-2026-23949 Source advisory: OSV:GHSA-58PV-8J8X-9VJ2...

GHSA-JM66-CG57-JJV5 Azure Core is vulnerable to deserialization of untrusted data

Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network...

acido (=0.15.0), adstoolbox (>=2025.12.2.2 <=2026.5.19) +207 more potentially affected by CVE-2026-21226 via azure-core (>=1.10.0 <=1.37.0)

azure-core PYPI version =1.10.0, =2025.12.2.2, =0.1.12, =0.1.31, =0.1.1, =0.0.2, =0.0.53, =0.1.0, =0.9.0, =0.2.100, =0.2.123, =1.0.0, =1.0.0, =0.1.0b1, =0.1.0b2 and more Source cves: CVE-2026-21226 Source advisory: SNYK:PYTHON-AZURECORE-14927372...

Azure Core is vulnerable to deserialization of untrusted data

Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network...

CVE-2026-21226

CVE-2026-21226 affects the Azure Core shared client library for Python via deserialization of untrusted data, enabling remote code execution by an authorized attacker over the network. Affected product in the connected docs is the Azure Core Python package; remediation guidance across sources rec...

CVE-2026-21226 Azure Core shared client library for Python Remote Code Execution Vulnerability

...

python311-Authlib-1.6.6-1.1 on GA media (moderate)

python311-Authlib-1.6.6-1.1 on GA media Announcement ID: openSUSE-SU-2026:10034-1 Rating: moderate Cross-References: CVE-2025-68158 CVSS scores: CVE-2025-68158 SUSE : 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVE-2025-68158 SUSE : 6.9...

CVE-2026-22690

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be...

filelock 安全漏洞

filelock is a Python file locker open source by tox development team. filelock version before 3.20.3 has a security vulnerability , the vulnerability stems from the SoftFileLock implementation of the existence of TOCTOU competition conditions , which may lead to locking operation failure or...