CRITICAL9.8CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection from 0
CRITICAL9.4CVE-2025-4517Arbitrary writes via tarfile realpath overflow from 0, < 3.13.4-1
HIGH7.8CVE-2024-9287Virtual environment (venv) activation scripts don't quote paths from 0, < 3.13.1-1
from 0, < 3.13.4-1
from 0, < 3.13.5-2+deb13u1
HIGH7.5CVE-2025-8194Tarfile infinite loop during parsing with negative member offset from 0, < 3.13.5-2+deb13u1
HIGH7.5CVE-2025-4435Tarfile extracts filtered members when errorlevel=0 from 0, < 3.13.4-1
HIGH7.5CVE-2025-4330Extraction filter bypass for linking outside extraction directory from 0, < 3.13.4-1
HIGH7.5CVE-2025-4138Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory from 0, < 3.13.4-1
HIGH7.5CVE-2024-6232Regular-expression DoS when parsing TarFile headers from 0, < 3.13.0~rc2-1
HIGH7.5CVE-2024-7592Quadratic complexity parsing cookies with backslashes from 0, < 3.13.0~rc2-1
MEDIUM6.1CVE-2026-6019BaseCookie.js_output() does not neutralize embedded characters from 0, < 3.13.5-2+deb13u2
from 0, < 3.13.5-2+deb13u1
MEDIUM5.5CVE-2025-6075Quadratic complexity in os.path.expandvars() with user-controlled template from 0, < 3.13.5-2+deb13u1
MEDIUM5.5CVE-2024-6923Email header injection due to unquoted newlines from 0, < 3.13.0~rc2-1
MEDIUM5.3CVE-2025-12781base64.b64decode() always accepts "+/" characters, despite setting altchars from 0
from 0, < 3.13.5-2+deb13u1
MEDIUM5.3CVE-2024-12718Bypass extraction filter to modify file metadata outside extraction directory from 0, < 3.13.4-1
MEDIUM4.3CVE-2025-8291ZIP64 End of Central Directory (EOCD) Locator record offset not checked from 0, < 3.13.5-2+deb13u1
MEDIUM4.3CVE-2025-6069HTMLParser quadratic complexity when processing malformed inputs from 0, < 3.13.5-2+deb13u1
LOW3.3CVE-2026-4519webbrowser.open() allows leading dashes in URLs from 0, < 3.13.5-2+deb13u2
—CVE-2026-8328FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address from 0
—CVE-2026-4786Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() from 0
—CVE-2026-6100Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure from 0, < 3.13.5-2+deb13u2
—CVE-2026-3446Base64 decoding stops at first padded quad by default from 0, < 3.13.5-2+deb13u2
—CVE-2026-1502HTTP client proxy tunnel headers not validated for CR/LF from 0
—CVE-2026-3479pkgutil.get_data() does not enforce documented restrictions from 0
—CVE-2026-4224Stack overflow parsing XML with deeply nested DTD content models from 0, < 3.13.5-2+deb13u2
—CVE-2026-3644Incomplete control character validation in http.cookies from 0, < 3.13.5-2+deb13u2
—CVE-2025-13462tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling from 0, < 3.13.5-2+deb13u1
from 0, < 3.13.5-2+deb13u1
—CVE-2026-1299email BytesGenerator header injection due to unquoted newlines from 0, < 3.13.5-2+deb13u1
—CVE-2026-0865wsgiref.headers.Headers allows header newline injection from 0, < 3.13.5-2+deb13u1
from 0, < 3.13.5-2+deb13u1
from 0
from 0
from 0, < 3.13.5-2+deb13u1
—CVE-2025-11468Folding email comments of unfoldable characters doesn't preserve parenthesis from 0, < 3.13.5-2+deb13u1
—CVE-2025-4516Use-after-free in "unicode_escape" decoder with error handler from 0, < 3.13.3-4
—CVE-2025-1795Mishandling of comma during folding and unicode-encoding of email headers from 0, < 3.13.0~b1-1
from 0, < 3.13.2-1
—CVE-2024-12254Unbounded memory buffering in SelectorSocketTransport.writelines() from 0, < 3.13.1-2
—CVE-2024-8088Infinite loop when iterating over zip archive entry names from zipfile.Path from 0, < 3.13.0~rc2-1