pkg:Bitnami/python

88 total CVEsCRITICAL9HIGH25MEDIUM26LOW1

✅ Check your installed version

All known vulnerabilities

CRITICAL9.8CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
from 0
CRITICAL9.8CVE-2007-4559Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remo…
from 0, < 3.6.16, >= 3.7.0, < 3.8.17, >= 3.9.0, < 3.9.17, >= 3.10.0, < 3.10.12, >= 3.11.0, < 3.11.4
CRITICAL9.8CVE-2020-15801In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations.
>= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.5
CRITICAL9.8CVE-2022-48565An XML External Entity (XXE) issue was discovered in Python through 3.9.1.
from 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.1
CRITICAL9.8CVE-2022-37454Buffer overflow in sponge queue functions
>= 3.6.0, < 3.7.16, >= 3.8.0, < 3.8.16, >= 3.9.0, < 3.9.16, >= 3.10.0, < 3.10.9
CRITICAL9.8CVE-2021-29921In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string.
>= 3.8.0, < 3.8.12, >= 3.9.0, < 3.9.5
CRITICAL9.8CVE-2021-3177python2.7 - security update
from 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.2
CRITICAL9.8CVE-2020-27619In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
>= 3.0.0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.1
CRITICAL9.4CVE-2025-4517Arbitrary writes via tarfile realpath overflow
from 0, < 3.9.23, >= 3.10.0, < 3.10.18, >= 3.11.0, < 3.11.13, >= 3.12.0, < 3.12.11, >= 3.13.0, < 3.13.4
HIGH7.8CVE-2020-15523In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4, and 3.9 through 3.9.0 on Windows, a Trojan horse python3.dll might be u…
>= 3.5.0, < 3.5.10, >= 3.6.0, < 3.6.12, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.4
HIGH7.8CVE-2024-9287Virtual environment (venv) activation scripts don't quote paths
from 0, < 3.9.21, >= 3.10.0, < 3.10.16, >= 3.11.0, < 3.11.11, >= 3.12.0, < 3.12.8, >= 3.13.0, < 3.13.1
HIGH7.8CVE-2023-6597python3.7 - security update
from 0, < 3.8.19, >= 3.9.0, < 3.9.19, >= 3.10.0, < 3.10.14, >= 3.11.0, < 3.11.8, >= 3.12.0, < 3.12.1
HIGH7.8CVE-2022-42919Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration.
>= 3.7.3, < 3.7.16, >= 3.8.3, < 3.8.16, >= 3.9.0, < 3.9.16, >= 3.10.0, < 3.10.9
HIGH7.5CVE-2025-13836Excessive read buffering DoS in http.client
from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.11, >= 3.14.0, < 3.14.1
HIGH7.5CVE-2023-36632The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exc…
from 0, < 3.11.5
HIGH7.5CVE-2025-8194Tarfile infinite loop during parsing with negative member offset
from 0, < 3.9.24, >= 3.10.0, < 3.10.19, >= 3.11.0, < 3.11.14, >= 3.12.0, < 3.12.12, >= 3.13.0, < 3.13.6
HIGH7.5CVE-2025-4435Tarfile extracts filtered members when errorlevel=0
from 0, < 3.9.23, >= 3.10.0, < 3.10.18, >= 3.11.0, < 3.11.13, >= 3.12.0, < 3.12.11, >= 3.13.0, < 3.13.4
HIGH7.5CVE-2025-4330Extraction filter bypass for linking outside extraction directory
from 0, < 3.9.23, >= 3.10.0, < 3.10.18, >= 3.11.0, < 3.11.13, >= 3.12.0, < 3.12.11, >= 3.13.0, < 3.13.4
HIGH7.5CVE-2025-4138Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory
from 0, < 3.9.23, >= 3.10.0, < 3.10.18, >= 3.11.0, < 3.11.13, >= 3.12.0, < 3.12.11, >= 3.13.0, < 3.13.4
HIGH7.5CVE-2024-6232Regular-expression DoS when parsing TarFile headers
from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6
HIGH7.5CVE-2024-7592Quadratic complexity parsing cookies with backslashes
from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6
HIGH7.5CVE-2024-4032Incorrect IPv4 and IPv6 private ranges
from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.4
HIGH7.5CVE-2023-41105An issue was discovered in Python 3.11 through 3.11.4.
>= 3.11.0, < 3.11.5
HIGH7.5CVE-2022-48560python3.7 - security update
from 0, < 3.6.11, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.2
HIGH7.5CVE-2023-24329pypy3 - security update
from 0, < 3.7.17, >= 3.8.0, < 3.8.17, >= 3.9.0, < 3.9.17, >= 3.10.0, < 3.10.12, >= 3.11.0, < 3.11.4
HIGH7.5CVE-2022-45061An issue was discovered in Python before 3.11.1.
from 0, < 3.7.16, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.1, >= 3.8.0, < 3.8.16, >= 3.9.0, < 3.9.16
HIGH7.5CVE-2020-10735pypy3 - security update
>= 3.7.0, < 3.7.14, >= 3.8.0, < 3.8.14, >= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.7
HIGH7.5CVE-2021-3737A flaw was found in python.
>= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.11, >= 3.9.0, < 3.9.6
HIGH7.5CVE-2022-0391python3.9 - security update
from 0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.11, >= 3.9.0, < 3.9.5
HIGH7.4CVE-2024-0397python3.11 - security update
from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.14, >= 3.11.0, < 3.11.9, >= 3.12.0, < 3.12.3
HIGH7.4CVE-2021-28861Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginn…
>= 3.0.0, < 3.7.14, >= 3.8.0, < 3.8.14, >= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.6
HIGH7.2CVE-2020-26116http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attac…
>= 3.0.0, < 3.5.10, >= 3.6.0, < 3.6.12, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.5
HIGH7.1CVE-2024-4030On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporar…
from 0, < 3.12.4
HIGH7.0CVE-2022-26488In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured.
from 0, < 3.7.13, >= 3.10.0, < 3.10.3, >= 3.8.0, < 3.8.13, >= 3.9.0, < 3.9.11
MEDIUM6.5CVE-2024-5642Buffer overread when using an empty list with SSLContext.set_npn_protocols()
from 0, < 3.9.24
MEDIUM6.5CVE-2022-48564read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malform…
from 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.1
MEDIUM6.5CVE-2021-3733python3.5 - security update
from 0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.10, >= 3.9.0, < 3.9.5
MEDIUM6.5CVE-2020-8492Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct…
>= 2.7.0, < 2.7.18, >= 3.5.0, < 3.5.10, >= 3.6.0, < 3.6.11, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.2
MEDIUM6.2CVE-2024-0450python2.7 - security update
from 0, < 3.8.19, >= 3.9.0, < 3.9.19, >= 3.10.0, < 3.10.14, >= 3.11.0, < 3.11.8, >= 3.12.0, < 3.12.2
MEDIUM6.1CVE-2026-6019BaseCookie.js_output() does not neutralize embedded characters
from 0, < 3.14.5
MEDIUM5.9CVE-2024-50602expat - security update
from 0, < 3.9.21, >= 3.10.0, < 3.10.16, >= 3.11.0, < 3.11.11, >= 3.12.0, < 3.12.8, >= 3.13.0, < 3.13.1
MEDIUM5.9CVE-2022-48566An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1.
from 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.1
MEDIUM5.9CVE-2021-23336Web Cache Poisoning
from 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.2
MEDIUM5.9CVE-2020-14422python-ipaddress - security update
>= 3.0.0, < 3.5.10, >= 3.6.0, < 3.6.12, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.4
MEDIUM5.7CVE-2021-3426There's a flaw in Python 3's pydoc.
from 0, < 2.7.18, >= 3.6.0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.3
MEDIUM5.5CVE-2025-13837Out-of-memory when loading Plist
from 0, < 3.13.10, >= 3.14.0, < 3.14.1
MEDIUM5.5CVE-2025-6075Quadratic complexity in os.path.expandvars() with user-controlled template
from 0, < 3.9.25, >= 3.10.0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.10, >= 3.14.0, < 3.14.1
MEDIUM5.5CVE-2023-33595CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.
>= 3.12.0-alpha0, < 3.12.0-alpha8
MEDIUM5.5CVE-2024-6923Email header injection due to unquoted newlines
from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.5
MEDIUM5.5CVE-2020-8315In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may…
>= 3.6.0, < 3.6.11, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.2
MEDIUM5.3CVE-2025-12781base64.b64decode() always accepts "+/" characters, despite setting altchars
from 0, < 3.15.0
MEDIUM5.3CVE-2025-12084Quadratic complexity in node ID cache clearing
from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.11, >= 3.14.0, < 3.14.2
MEDIUM5.3CVE-2024-12718Bypass extraction filter to modify file metadata outside extraction directory
from 0, < 3.9.23, >= 3.10.0, < 3.10.18, >= 3.11.0, < 3.11.13, >= 3.12.0, < 3.12.11, >= 3.13.0, < 3.13.4
MEDIUM5.3CVE-2023-38898An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component.
>= 3.13.0-alpha0, <= 3.13.0-alpha0
MEDIUM5.3CVE-2023-40217An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5.
from 0, < 3.8.18, >= 3.9.0, < 3.9.18, >= 3.10.0, < 3.10.13, >= 3.11.0, < 3.11.5
MEDIUM5.3CVE-2023-27043The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character.
from 0, < 3.8.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6, >= 3.9.0, < 3.9.20
MEDIUM5.3CVE-2021-4189A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode.
>= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.3, >= 3.10.0, < 3.10.1
MEDIUM4.9CVE-2023-6507Groups not dropped before running subprocess when using empty 'extra_groups' parameter
>= 3.12.0, < 3.12.1
MEDIUM4.3CVE-2025-8291ZIP64 End of Central Directory (EOCD) Locator record offset not checked
from 0, < 3.9.24, >= 3.10.0, < 3.10.19, >= 3.11.0, < 3.11.14, >= 3.12.0, < 3.12.12, >= 3.13.0, < 3.13.10, >= 3.14.0, < 3.14.1
MEDIUM4.3CVE-2025-6069HTMLParser quadratic complexity when processing malformed inputs
from 0, < 3.9.24, >= 3.10.0, < 3.10.19, >= 3.11.0, < 3.11.14, >= 3.12.0, < 3.12.12, >= 3.13.0, < 3.13.6
LOW3.3CVE-2026-4519webbrowser.open() allows leading dashes in URLs
from 0, < 3.15.0
—CVE-2026-8328FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
from 0, < 3.14.5
—CVE-2026-3087shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
from 0, < 3.14.5
—CVE-2026-3298Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes
>= 3.11.0, < 3.14.5
—CVE-2026-5713Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target
>= 3.15.0
—CVE-2026-4786Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
from 0, < 3.14.5
—CVE-2026-6100Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
from 0, < 3.14.5
—CVE-2026-3446Base64 decoding stops at first padded quad by default
from 0, < 3.13.13, >= 3.14.0, < 3.14.4
—CVE-2026-1502HTTP client proxy tunnel headers not validated for CR/LF
from 0, < 3.14.5
—CVE-2026-3479pkgutil.get_data() does not enforce documented restrictions
from 0, < 3.15.0
—CVE-2026-4224Stack overflow parsing XML with deeply nested DTD content models
from 0, < 3.13.13, >= 3.14.0, < 3.14.4
—CVE-2026-3644Incomplete control character validation in http.cookies
from 0, < 3.15.0
—CVE-2025-13462tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling
from 0, < 3.15.0
—CVE-2026-2297SourcelessFileLoader does not use io.open_code()
from 0, < 3.15.0
—CVE-2026-1299email BytesGenerator header injection due to unquoted newlines
from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
—CVE-2026-0865wsgiref.headers.Headers allows header newline injection
from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
—CVE-2026-0672Header injection in http.cookies.Morsel
from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
—CVE-2025-15367POP3 command injection in user-controlled commands
from 0, < 3.15.0
—CVE-2025-15366IMAP command injection in user-controlled commands
from 0, < 3.15.0
—CVE-2025-15282Header injection via newlines in data URL mediatype
from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
—CVE-2025-11468Folding email comments of unfoldable characters doesn't preserve parenthesis
from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
—CVE-2025-4516Use-after-free in "unicode_escape" decoder with error handler
from 0, < 3.9.23, >= 3.10.0, < 3.10.18, >= 3.11.0, < 3.11.13, >= 3.12.0, < 3.12.11, >= 3.13.0, < 3.13.4
—CVE-2025-1795Mishandling of comma during folding and unicode-encoding of email headers
from 0, < 3.9.23, >= 3.10.0, < 3.10.17, >= 3.11.0, < 3.11.9, >= 3.12.0, < 3.12.3
—CVE-2024-3220There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable…
from 0, < 3.14.0
—CVE-2025-0938URL parser allowed square brackets in domain names
from 0, < 3.9.22, >= 3.10.0, < 3.10.17, >= 3.11.0, < 3.11.12, >= 3.12.0, < 3.12.9, >= 3.13.0, < 3.13.2
—CVE-2024-12254Unbounded memory buffering in SelectorSocketTransport.writelines()
>= 3.12.0, < 3.12.9, >= 3.13.0, < 3.13.2
—CVE-2024-11168Improper validation of IPv6 and IPvFuture addresses
from 0, < 3.9.21, >= 3.10.0, < 3.10.16, >= 3.11.0, < 3.11.4
—CVE-2024-8088Infinite loop when iterating over zip archive entry names from zipfile.Path
from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6