Lucene search
K

227 matches found

Debian CVE
Debian CVE
added 2026/06/26 7:31 p.m.5 views

CVE-2026-29509

Patool before 4.0.5 contains a path traversal vulnerability in the safeextract function in patoolib/programs/pytarfile.py when running on Python before 3.12, where the iswithindirectory helper uses os.path.commonprefix for character-level string comparison instead of path-level comparison, allowi...

5.4CVSS5.9AI score0.00285EPSS
Exploits0
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.7 views

Astra Linux – Vulnerability in Python 3.11

When constructing nested elements using XMLDom.minidom methods like appendChild, which rely on clearidcache, the algorithm has a quadratic complexity. This can affect the availability of documents when they are constructed with excessively nested structures...

6.3CVSS6.7AI score0.00708EPSS
Exploits0References3
OSV
OSV
added 2026/06/16 5:16 p.m.5 views

DEBIAN-CVE-2026-12003

To allow builds of Python to be run from an in-tree layout rather than an installed file layout, the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python...

5.3CVSS5.3AI score0.00136EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.8 views

CVE-2026-46383

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

5.5CVSS5.5AI score0.0061EPSS
Exploits0References1
Fedora
Fedora
added 2026/05/28 12:48 a.m.26 views

[SECURITY] Fedora 43 Update: uv-0.11.15-1.fc43

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

5.8AI score
Exploits0
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in Pypy

Python versions prior to 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1, and 3.7.0 are vulnerable to catastrophic backtracking in the difflib.IS-LineJUNK method. An attacker could exploit this flaw to cause a denial of service. source-iocs-preserved const=ISLINEJUNK...

7.5CVSS6.7AI score0.04979EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.8 views

Astra Linux – Vulnerability in Pypy

In the http.cookiejar.py module of Python, prior to version 3.7.3, the domain validation mechanism was not properly implemented. This vulnerability could allow existing cookies to be sent to the wrong server. Attackers could exploit this flaw by using a server whose hostname contains another vali...

5.3CVSS7.1AI score0.0388EPSS
Exploits1References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux – Vulnerability in Pypy

Python versions prior to 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1, and 3.7.0 are vulnerable to catastrophic backtracking in Pop3lib’s apop method. An attacker could exploit this flaw to cause a denial of service...

7.5CVSS6.6AI score0.05287EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.10 views

Astra Linux – Vulnerability in Python-Django, Python 2.7

Packages containing “python/cpython” from versions 0 and earlier, including 3.6.13, 3.7.0 and earlier than 3.7.10, 3.8.0 and earlier than 3.8.8, 3.9.0 and earlier than 3.9.2, are vulnerable to Web Cache Poisoning via “urllib.parse.parseqsl” and “urllib.parse.parseqs”. This vulnerability occurs du...

5.9CVSS6.8AI score0.35963EPSS
Exploits1References2
SUSE CVE
SUSE CVE
added 2026/05/19 2:2 a.m.11 views

SUSE CVE-2024-0450

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython...

6.2CVSS6.8AI score0.00336EPSS
Exploits0References18
Github Security Blog
Github Security Blog
added 2026/05/15 6:25 p.m.19 views

Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`

Summary Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a...

5.5CVSS6.1AI score0.0061EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/05/15 6:25 p.m.10 views

External Control of File Name or Path

Overview apm-cli is a MCP configuration tool Affected versions of this package are vulnerable to External Control of File Name or Path through the tar.extractall function in legacy-bundle probing on Windows systems running Python versions earlier than 3.12. An attacker can overwrite arbitrary fil...

7.4CVSS5.6AI score0.0061EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/15 4:4 p.m.13 views

CVE-2026-46383 Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

5.5CVSS5.8AI score0.0061EPSS
Exploits0References1
CVE
CVE
added 2026/05/15 4:4 p.m.27 views

CVE-2026-46383

Summary: CVE-2026-46383 affects Microsoft APM prior to 0.13.0, where the legacy-bundle probing during apm install on Windows can mishandle local .tar.gz archives. On Python 3.10/3.11, the probe may extract untrusted tar members with tar.extractall() without rejecting Windows absolute member name...

5.5CVSS5.8AI score0.0061EPSS
Exploits0References1
OPENSUSE Linux
OPENSUSE Linux
added 2026/04/30 12:0 a.m.5 views

Security update for python-PyNaCl (moderate)

openSUSE security update: security update for python-pynacl ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20650-1 Rating: moderate References: bsc1161557 bsc1199282 bsc1255764 Cross-References: CVE-2025-69277 CVSS scores: CVE-2025-69277 SUSE : 4.4...

4.8CVSS6.1AI score0.00166EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/04/27 12:0 a.m.17 views

Linux Distros Unpatched Vulnerability : CVE-2026-41140

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path...

8.7CVSS5.8AI score0.00294EPSS
Exploits0References3
Microsoft CVE
Microsoft CVE
added 2026/04/26 8:4 a.m.9 views

Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

...

8.7CVSS5.8AI score0.00294EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:10 p.m.3 views

CVE-2026-41140

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...

2.3CVSS5.4AI score0.00294EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/24 5:10 p.m.37 views

CVE-2026-41140

CVE-2026-41140 affects Poetry (Python dependency manager). The vulnerability is in extractall(), src/poetry/utils/helpers.py:410-426, which allowed tarball extraction without path traversal protection on Python versions where tarfile.data_filter is unavailable. Affected supported Poetry/Python ra...

8.7CVSS5.3AI score0.00294EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.11 views

Poetry 路径遍历漏洞

Poetry is an open-source Python tool used for dependency management and packaging. Versions of Poetry prior to 2.3.4 contained a path traversal vulnerability. This vulnerability stemmed from the extractall function failing to provide path traversal protection when extracting sdist tarballs on...

2.3CVSS5.8AI score0.00294EPSS
Exploits0References2
Rows per page
Query Builder