pkg:Debian/python3.9

69 total CVEsCRITICAL7HIGH21MEDIUM18LOW1

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
    from 0
  • CRITICAL9.8CVE-2022-48565An XML External Entity (XXE) issue was discovered in Python through 3.9.1.
    from 0, < 3.9.1~rc1-1
  • CRITICAL9.8CVE-2022-37454Buffer overflow in sponge queue functions
    from 0, < 3.9.2-1+deb11u4
  • CRITICAL9.8CVE-2022-37454Buffer overflow in sponge queue functions
    from 0, < 3.9.2-1+deb11u4
  • CRITICAL9.8CVE-2021-29921In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string.
    from 0, < 3.9.2-1+deb11u2
  • CRITICAL9.8CVE-2021-3177python2.7 - security update
    from 0, < 3.9.1-3
  • CRITICAL9.8CVE-2020-27619In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
    from 0, < 3.9.1~rc1-1
  • HIGH7.8CVE-2024-9287Virtual environment (venv) activation scripts don't quote paths
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.8CVE-2023-6597python3.7 - security update
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.8CVE-2022-42919Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration.
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.6CVE-2015-20107python3.9 - security update
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.6CVE-2015-20107python3.9 - security update
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.5CVE-2025-69534Python-Markdown has an Uncaught Exception
    from 0
  • HIGH7.5CVE-2025-13836Excessive read buffering DoS in http.client
    from 0, < 3.9.2-1+deb11u4
  • HIGH7.5CVE-2025-8194Tarfile infinite loop during parsing with negative member offset
    from 0, < 3.9.2-1+deb11u4
  • HIGH7.5CVE-2024-6232Regular-expression DoS when parsing TarFile headers
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.5CVE-2024-7592Quadratic complexity parsing cookies with backslashes
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.5CVE-2024-4032Incorrect IPv4 and IPv6 private ranges
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.5CVE-2023-24329pypy3 - security update
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.5CVE-2022-45061An issue was discovered in Python before 3.11.1.
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.5CVE-2020-10735pypy3 - security update
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.5CVE-2021-3737A flaw was found in python.
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.5CVE-2022-0391python3.9 - security update
    from 0, < 3.9.2-1+deb11u3
  • HIGH7.5CVE-2022-0391python3.9 - security update
    from 0, < 3.9.2-1+deb11u3
  • HIGH7.5CVE-2019-20907python3.5 - security update
    from 0, < 3.9.0~b5-1
  • HIGH7.4CVE-2024-0397Memory race condition in ssl.SSLContext certificate store methods
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.4CVE-2021-28861Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginn…
    from 0, < 3.9.2-1+deb11u2
  • HIGH7.2CVE-2020-26116http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attac…
    from 0, < 3.9.0~b5-1
  • MEDIUM6.5CVE-2024-5642Buffer overread when using an empty list with SSLContext.set_npn_protocols()
    from 0
  • MEDIUM6.5CVE-2022-48564read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malform…
    from 0, < 3.9.1~rc1-1
  • MEDIUM6.5CVE-2021-3733python3.5 - security update
    from 0, < 3.9.2-1+deb11u2
  • MEDIUM6.2CVE-2024-0450Quoted zip-bomb protection for zipfile
    from 0, < 3.9.2-1+deb11u2
  • MEDIUM6.1CVE-2026-6019BaseCookie.js_output() does not neutralize embedded characters
    from 0
  • MEDIUM5.9CVE-2022-48566An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1.
    from 0, < 3.9.1~rc1-1
  • MEDIUM5.9CVE-2021-23336Web Cache Poisoning
    from 0, < 3.9.2-1
  • MEDIUM5.7CVE-2021-3426There's a flaw in Python 3's pydoc.
    from 0, < 3.9.2-1+deb11u2
  • MEDIUM5.5CVE-2025-13837Out-of-memory when loading Plist
    from 0, < 3.9.2-1+deb11u4
  • MEDIUM5.5CVE-2025-6075Quadratic complexity in os.path.expandvars() with user-controlled template
    from 0, < 3.9.2-1+deb11u4
  • MEDIUM5.5CVE-2024-6923Email header injection due to unquoted newlines
    from 0, < 3.9.2-1+deb11u2
  • MEDIUM5.3CVE-2025-12781base64.b64decode() always accepts "+/" characters, despite setting altchars
    from 0
  • MEDIUM5.3CVE-2025-12084Quadratic complexity in node ID cache clearing
    from 0, < 3.9.2-1+deb11u5
  • MEDIUM5.3CVE-2023-40217An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5.
    from 0, < 3.9.2-1+deb11u2
  • MEDIUM5.3CVE-2023-27043The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character.
    from 0, < 3.9.2-1+deb11u2
  • MEDIUM5.3CVE-2021-4189A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode.
    from 0, < 3.9.2-1+deb11u2
  • MEDIUM4.3CVE-2025-8291ZIP64 End of Central Directory (EOCD) Locator record offset not checked
    from 0, < 3.9.2-1+deb11u4
  • MEDIUM4.3CVE-2025-6069HTMLParser quadratic complexity when processing malformed inputs
    from 0, < 3.9.2-1+deb11u4
  • LOW3.3CVE-2026-4519webbrowser.open() allows leading dashes in URLs
    from 0, < 3.9.2-1+deb11u7
  • CVE-2026-8328FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
    from 0
  • CVE-2026-6100Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
    from 0, < 3.9.2-1+deb11u6
  • CVE-2026-3446Base64 decoding stops at first padded quad by default
    from 0
  • CVE-2026-1502HTTP client proxy tunnel headers not validated for CR/LF
    from 0
  • CVE-2026-3479pkgutil.get_data() does not enforce documented restrictions
    from 0
  • CVE-2026-4224Stack overflow parsing XML with deeply nested DTD content models
    from 0, < 3.9.2-1+deb11u7
  • CVE-2026-3644Incomplete control character validation in http.cookies
    from 0, < 3.9.2-1+deb11u7
  • CVE-2025-13462tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling
    from 0, < 3.9.2-1+deb11u7
  • CVE-2026-2297SourcelessFileLoader does not use io.open_code()
    from 0, < 3.9.2-1+deb11u7
  • CVE-2026-1299email BytesGenerator header injection due to unquoted newlines
    from 0, < 3.9.2-1+deb11u5
  • CVE-2026-0865wsgiref.headers.Headers allows header newline injection
    from 0, < 3.9.2-1+deb11u5
  • CVE-2026-0672Header injection in http.cookies.Morsel
    from 0, < 3.9.2-1+deb11u7
  • CVE-2025-15367POP3 command injection in user-controlled commands
    from 0
  • CVE-2025-15366IMAP command injection in user-controlled commands
    from 0
  • CVE-2025-15282Header injection via newlines in data URL mediatype
    from 0, < 3.9.2-1+deb11u5
  • CVE-2025-11468Folding email comments of unfoldable characters doesn't preserve parenthesis
    from 0, < 3.9.2-1+deb11u5
  • CVE-2025-11468Folding email comments of unfoldable characters doesn't preserve parenthesis
    from 0, < 3.9.2-1+deb11u5
  • CVE-2025-4516Use-after-free in "unicode_escape" decoder with error handler
    from 0, < 3.9.2-1+deb11u4
  • CVE-2025-1795Mishandling of comma during folding and unicode-encoding of email headers
    from 0, < 3.9.2-1+deb11u3
  • CVE-2025-0938URL parser allowed square brackets in domain names
    from 0, < 3.9.2-1+deb11u3
  • CVE-2024-11168Improper validation of IPv6 and IPvFuture addresses
    from 0, < 3.9.2-1+deb11u2
  • CVE-2024-8088Infinite loop when iterating over zip archive entry names from zipfile.Path
    from 0, < 3.9.2-1+deb11u2