OPENSUSE-SU-2026:20839-1 Security update for python-pytest-html

This update for python-pytest-html fixes the following issues: Changes in python-pytest-html: - CVE-2026-9277: shell-quote: improper escaping of newlines bsc1266254 Update the vendored shell-quote to 1.8.4 nodemodules...

OPENSUSE-SU-2026:20827-1 Security update for python-mistune

This update for python-mistune fixes the following issues - CVE-2026-33079: ReDoS in LINKTITLERE can lead to denial of service via a crafted Markdown bsc1264347. - CVE-2026-33441: processing of malformed reference links can lead to excessive resource consumption and denial of service bsc1264752. ...

Malicious code in my-test-package-2025-xyz (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a2f3ab0a3c7ef9009c99575d9dd051c4a97575435cabf5d3a4c223f53bc47b89 During installation, the package opens a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

MAL-2026-4837 Malicious code in my-test-package-2025-xyz (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a2f3ab0a3c7ef9009c99575d9dd051c4a97575435cabf5d3a4c223f53bc47b89 During installation, the package opens a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

RHSA-2026:21682 Red Hat Security Advisory: python3.9 security update

Bulletin has no description...

web-vulnerability-scanner

web-vulnerability-scanner A P...

python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API

A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...

python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules

A flaw was found in Python's decompression modules, including lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile. This vulnerability, a use-after-free, can occur if a program attempts to re-use a decompression object after a memory allocation error, especially when the system is...

Important: Red Hat Security Advisory: python3.9 security update

An update for python3.9 is now available for Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

[SECURITY] Fedora 44 Update: uv-0.11.15-1.fc44

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

[SECURITY] Fedora 44 Update: python-uv-build-0.11.15-1.fc44

This package is a slimmed down version of uv containing only the build backend...

[SECURITY] Fedora 43 Update: python-uv-build-0.11.15-1.fc43

This package is a slimmed down version of uv containing only the build backend...

[SECURITY] Fedora 43 Update: uv-0.11.15-1.fc43

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

PT-2026-44396

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get signing key forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

Fedora 43 : python-uv-build / rust-astral-tokio-tar / etc (2026-f8487121bd)

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-f8487121bd advisory. Update uv and python-uv-build to 0.11.5, fixing GHSA-3cv2-h65g-fgmm and GHSA-4gg8-gxpx-9rph. Tenable has extracted the preceding description block directly...

RockyLinux 9 : python3.9 (RLSA-2026:19216)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19216 advisory. python: Python: Command-line option injection in webbrowser.open via crafted URLs CVE-2026-4519 python: Python: Arbitrary code execution or information...

RockyLinux 9 : python-markdown (RLSA-2026:19366)

The remote RockyLinux 9 host has a package installed that is affected by a vulnerability as referenced in the RLSA-2026:19366 advisory. python-markdown: denial of service via malformed HTML-like sequences CVE-2025-69534 Tenable has extracted the preceding description block directly from the...

Python Liquid 路径遍历漏洞

Python Liquid is a Python engine developed by James for processing Liquid templates. Versions of Python Liquid prior to 2.2.0 had a path traversal vulnerability. This vulnerability stemmed from the lack of protection in FileSystemLoader and CachingFileSystemLoader against reading absolute paths,...

PT-2026-45982

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and...