27 matches found
Security update for python-python-dotenv (moderate)
openSUSE security update: security update for python-python-dotenv ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20952-1 Rating: moderate References: bsc1262423 Cross-References: CVE-2026-28684 CVSS scores: CVE-2026-28684 SUSE : 6.6...
ROOT-APP-PYPI-CVE-2026-28684 CVE-2026-28684 in rootio-python-dotenv - Patched by Root
Root has patched CVE-2026-28684 in the rootio-python-dotenv package for Root:PyPI. Multiple fixed versions available...
[SECURITY] Fedora 43 Update: python-dotenv-1.2.2-1.fc43
Reads the key/value pairs from a .env file and can add them to environment variables...
Fedora 44 : python-dotenv (2026-79e64d2daa)
The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-79e64d2daa advisory. Update to 1.2.2, security fix for CVE-2026-28684. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that...
Fedora 43 : python-dotenv (2026-20312e36a8)
The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-20312e36a8 advisory. Update to 1.2.2, security fix for CVE-2026-28684. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that...
OESA-2026-2199 python-dotenv security update
Python-dotenv reads key-value pairs from a .env file and can set them as environment variables. It helps in the development of applications following the 12-factor principles. Security Fixes: python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to...
OESA-2026-2198 python-dotenv security update
Python-dotenv reads key-value pairs from a .env file and can set them as environment variables. It helps in the development of applications following the 12-factor principles. Security Fixes: python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to...
CVE-2026-28684
A flaw was found in python-dotenv. A local attacker can exploit this by crafting a symbolic link, which the setkey and unsetkey functions in python-dotenv follow when rewriting .env files. This can lead to the overwriting of arbitrary files on the system. Mitigation Mitigation for this issue is...
1password-secrets (>=0.0.1 <=0.4.0), 42towels (>=0.1.1001 <=0.1.1011) +3366 more potentially affected by CVE-2026-28684 via python-dotenv (>=0.1.0 <=1.2.1)
python-dotenv PYPI version =0.1.0, =0.0.1, =0.1.1001, =2.3.0, =0.15.1, =0.1.0, =0.1.0, =1.0.0, =2.3.9, =1.18.8, =0.1.0b0, =1.0.4, =2.0.0rc0 and more Source cves: CVE-2026-28684 Source advisory: OSV:GHSA-MF9W-MJ56-HR94...
EUVD-2026-23901
python-dotenv: Symlink following in setkey allows arbitrary file overwrite via cross-device rename fallback...
GHSA-MF9W-MJ56-HR94 python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
Summary setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Details The rewrite context manager in dotenv/main.py is used by both setkey...
SUSE CVE-2026-28684
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a...
1password-secrets (>=0.0.1.dev107 <=0.4.0), 42towels (>=0.1.1001 <=0.1.1011) +2355 more potentially affected by CVE-2026-28684 via python-dotenv (>=1.0.0 <=1.2.1)
python-dotenv PYPI version =1.0.0, =0.0.1.dev107, =0.1.1001, =2.3.0, =0.15.1, =0.1.0, =0.1.0, =1.0.0, =2.3.9, =1.18.8, =0.1.0b0, =0.0.1, =0.0.0, =0.0.9 and more Source cves: CVE-2026-28684 Source advisory: SNYK:PYTHON-PYTHONDOTENV-16115271...
CVE-2026-28684
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a...
CVE-2026-28684
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a...
UBUNTU-CVE-2026-28684
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a...
CVE-2026-28684 python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a...
CVE-2026-28684
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a...
CVE-2026-28684
CVE-2026-28684 (python-dotenv) : The issue affects python-dotenv where the functions set_key() and unset_key() follow symbolic links when rewriting the .env file. This behavior enables a local attacker to overwrite arbitrary files via a crafted symlink during a cross-device rename fallback. Impac...
CVE-2026-28684 python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a...