Oracle Linux 8 : python-urllib3 (ELSA-2026-1254)

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2026-1254 advisory. - Security fix for CVE-2025-66471 - Security fix for CVE-2025-66418 Tenable has extracted the preceding description block directly from the Oracle Linu...

AlmaLinux 8 : python3.11-urllib3 (ALSA-2026:1224)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2026:1224 advisory. urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66418 urllib3: urllib3 Streaming API improperly handles highly...

RHEL 9 : python3.12 (RHSA-2026:1408)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:1408 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

python311-urllib3_1-1.26.20-5.1 on GA media (moderate)

python311-urllib31-1.26.20-5.1 on GA media Announcement ID: openSUSE-SU-2026:10096-1 Rating: moderate Cross-References: CVE-2025-66418 CVE-2025-66471 CVE-2026-21441 CVSS scores: CVE-2025-66418 SUSE : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-66418 SUSE : 6.9...

Moderate: python3.11 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

Moderate: python3.11 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

Moderate: python3.12 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

01os (>=0.0.5 <=0.0.13), 3m (>=0.1.0 <=0.1.3) +2011 more potentially affected by CVE-2026-24688 via pypdf (>=6.0.0 <=6.6.0)

pypdf PYPI version =6.0.0, =0.0.5, =0.1.0, =0.0.1, =0.4.1, =0.3.6, =0.2.5, =0.0.2, =0.2.0, =1.2.27, =0.1.0, =0.6.0, =1.2.32, =1.0.1, =0.2.5, =0.2.10 and more Source cves: CVE-2026-24688 Source advisory: SNYK:PYTHON-PYPDF-15117508...

10xscale-agentflow-cli (=0.1.5), admin-api-lib (>=3.2.0 <=3.4.0) +440 more potentially affected by CVE-2026-24486 via python-multipart (>=0.0.10 <=0.0.21)

python-multipart PYPI version =0.0.10, =3.2.0, =0.8.2.4, =0.1.0, =1.0.202504142220, =0.1.0, =0.4.0, =0.4.0, =0.1.0, =0.4.0, =1.6.21, =0.1.1, =0.1.0, =0.1.13 and more Source cves: CVE-2026-24486 Source advisory: SNYK:PYTHON-PYTHONMULTIPART-15117506...

Directory Traversal

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to Directory Traversal via unsinitised file names passed directly into os.path.joinfiledir, fname function. An attacker can write files to arbitrary locations on the filesystem...

GHSA-WP53-J4WJ-2CFG Python-Multipart has Arbitrary File Write via Non-Default Configuration

Summary A Path Traversal vulnerability exists when using non-default configuration options UPLOADDIR and UPLOADKEEPFILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Details When UPLOADDIR is set and UPLOADKEEPFILENAME is...

10xscale-agentflow-cli (=0.1.5), admin-api-lib (>=3.2.0 <=3.4.0) +440 more potentially affected by CVE-2026-24486 via python-multipart (>=0.0.10 <=0.0.21)

python-multipart PYPI version =0.0.10, =3.2.0, =0.8.2.4, =0.1.0, =1.0.202504142220, =0.1.0, =0.4.0, =0.4.0, =0.1.0, =0.4.0, =1.6.21, =0.1.1, =0.1.0, =0.1.13 and more Source cves: CVE-2026-24486 Source advisory: OSV:GHSA-WP53-J4WJ-2CFG...

CVE-2026-24408

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. OAuthSession creates a unique "state" and sends it as a parameter in the authentication request bu...

CVE-2026-24408 sigstore has CSRF possibility in OIDC authentication during signing

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. OAuthSession creates a unique "state" and sends it as a parameter in the authentication request bu...

CVE-2026-24408 sigstore has CSRF possibility in OIDC authentication during signing

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. OAuthSession creates a unique "state" and sends it as a parameter in the authentication request bu...

CVE-2026-24408

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. OAuthSession creates a unique "state" and sends it as a parameter in the authentication request bu...

EUVD-2026-4729

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. OAuthSession creates a unique "state" and sends it as a parameter in the authentication request bu...

CVE-2026-24408 sigstore has CSRF possibility in OIDC authentication during signing

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. OAuthSession creates a unique "state" and sends it as a parameter in the authentication request bu...

Cross-site Request Forgery (CSRF)

Overview sigstore is an A tool for signing Python package distributions Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the OIDC authentication process, which fails to check the state parameter. An attacker in a MitM position can cause a user to sign data...

GHSA-HM8F-75XX-W2VR sigstore CSRF possibility in OIDC authentication during signing

Summary The sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. Details OAuthSession creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Fix...