Search CVE reports

1 – 10 of 42 results

Detailed view

Sort by:

CVE-2025-12084

Medium priority

Needs evaluation

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

14 affected packages

jython, pypy3, python2.7, python3.4, python3.5...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
jython	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
pypy3	Needs evaluation	Needs evaluation	Needs evaluation	—
python2.7	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
python3.4	Not in release	Not in release	—	—
python3.5	Not in release	Not in release	—	—
python3.6	Not in release	Not in release	—	Needs evaluation
python3.7	Not in release	Not in release	—	Needs evaluation
python3.8	Not in release	Not in release	Needs evaluation	Needs evaluation
python3.9	Not in release	Not in release	Needs evaluation	—
python3.10	Not in release	Needs evaluation	—	—
python3.11	Not in release	Needs evaluation	—	—
python3.12	Needs evaluation	Not in release	—	—
python3.13	Not in release	Not in release	—	—
python3.14	Not in release	Not in release	—	—

CVE-2025-13837

Medium priority

Needs evaluation

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

12 affected packages

python2.7, python3.4, python3.5, python3.6, python3.7...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
python2.7	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
python3.4	Not in release	Not in release	—	—
python3.5	Not in release	Not in release	—	—
python3.6	Not in release	Not in release	—	Needs evaluation
python3.7	Not in release	Not in release	—	Needs evaluation
python3.8	Not in release	Not in release	Needs evaluation	Needs evaluation
python3.9	Not in release	Not in release	Needs evaluation	—
python3.10	Not in release	Needs evaluation	—	—
python3.11	Not in release	Needs evaluation	—	—
python3.12	Needs evaluation	Not in release	—	—
python3.13	Not in release	Not in release	—	—
python3.14	Not in release	Not in release	—	—

CVE-2025-13836

Medium priority

Needs evaluation

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory,...

12 affected packages

python2.7, python3.4, python3.5, python3.6, python3.7...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
python2.7	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
python3.4	Not in release	Not in release	—	—
python3.5	Not in release	Not in release	—	—
python3.6	Not in release	Not in release	—	Needs evaluation
python3.7	Not in release	Not in release	—	Needs evaluation
python3.8	Not in release	Not in release	Needs evaluation	Needs evaluation
python3.9	Not in release	Not in release	Needs evaluation	—
python3.10	Not in release	Needs evaluation	—	—
python3.11	Not in release	Needs evaluation	—	—
python3.12	Needs evaluation	Not in release	—	—
python3.13	Not in release	Not in release	—	—
python3.14	Not in release	Not in release	—	—

CVE-2025-6075

Medium priority

Some fixes available 13 of 24

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

13 affected packages

pypy3, python2.7, python3.4, python3.5, python3.6...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
pypy3	Needs evaluation	Needs evaluation	Needs evaluation	—
python2.7	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
python3.4	Not in release	Not in release	—	—
python3.5	Not in release	Not in release	—	—
python3.6	Not in release	Not in release	—	Fixed
python3.7	Not in release	Not in release	—	Fixed
python3.8	Not in release	Not in release	Fixed	Fixed
python3.9	Not in release	Not in release	Fixed	—
python3.10	Not in release	Fixed	—	—
python3.11	Not in release	Fixed	—	—
python3.12	Fixed	Not in release	—	—
python3.13	Not in release	Not in release	—	—
python3.14	Not in release	Not in release	—	—

CVE-2025-8291

Medium priority

Some fixes available 13 of 19

The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the...

12 affected packages

python2.7, python3.4, python3.5, python3.6, python3.7...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
python2.7	Not in release	Needs evaluation	Needs evaluation	Needs evaluation
python3.4	Not in release	Not in release	—	—
python3.5	Not in release	Not in release	—	—
python3.6	Not in release	Not in release	—	Fixed
python3.7	Not in release	Not in release	—	Fixed
python3.8	Not in release	Not in release	Fixed	Fixed
python3.9	Not in release	Not in release	Fixed	—
python3.10	Not in release	Fixed	—	—
python3.11	Not in release	Fixed	—	—
python3.12	Fixed	Not in release	—	—
python3.13	Not in release	Not in release	—	—
python3.14	Not in release	Not in release	—	—

CVE-2025-8194

Medium priority

Fixed

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop...

12 affected packages

python2.7, python3.4, python3.5, python3.6, python3.7...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
python2.7	Not in release	Fixed	Fixed	Fixed
python3.4	Not in release	Not in release	—	—
python3.5	Not in release	Not in release	—	—
python3.6	Not in release	Not in release	—	Fixed
python3.7	Not in release	Not in release	—	Fixed
python3.8	Not in release	Not in release	Fixed	Fixed
python3.9	Not in release	Not in release	Fixed	—
python3.10	Not in release	Fixed	—	—
python3.11	Not in release	Fixed	—	—
python3.12	Fixed	Not in release	—	—
python3.13	Not in release	Not in release	—	—
python3.14	Not in release	Not in release	—	—

CVE-2025-6069

Medium priority

Some fixes available 13 of 28

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

13 affected packages

jython, python2.7, python3.11, python3.12, python3.13...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
jython	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
python2.7	Not in release	Vulnerable	Vulnerable	Vulnerable
python3.11	Not in release	Fixed	Not in release	Not in release
python3.12	Fixed	Not in release	Not in release	Not in release
python3.13	Not in release	Not in release	Not in release	Not in release
python3.9	Not in release	Not in release	Fixed	Not in release
python3.4	Not in release	Not in release	Not in release	Not in release
python3.5	Not in release	Not in release	Not in release	Not in release
python3.6	Not in release	Not in release	Not in release	Fixed
python3.7	Not in release	Not in release	Not in release	Fixed
python3.8	Not in release	Not in release	Fixed	Fixed
python3.10	Not in release	Fixed	Not in release	Not in release
python3.14	Not in release	Not in release	Not in release	Not in release

CVE-2025-4517

Medium priority

Fixed

Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using...

12 affected packages

python2.7, python3.4, python3.5, python3.6, python3.7...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
python2.7	Not in release	Not affected	Not affected	Not affected
python3.4	Not in release	Not in release	—	—
python3.5	Not in release	Not in release	—	—
python3.6	Not in release	Not in release	—	Not affected
python3.7	Not in release	Not in release	—	Not affected
python3.8	Not in release	Not in release	Not affected	Not affected
python3.9	Not in release	Not in release	Not affected	—
python3.10	Not in release	Not affected	—	—
python3.11	Not in release	Not affected	—	—
python3.12	Fixed	Not in release	—	—
python3.13	Not in release	Not in release	—	—
python3.14	Not in release	Not in release	—	—

CVE-2025-4435

Medium priority

Fixed

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions...

12 affected packages

python2.7, python3.4, python3.5, python3.6, python3.7...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
python2.7	Not in release	Not affected	Not affected	Not affected
python3.4	Not in release	Not in release	—	—
python3.5	Not in release	Not in release	—	—
python3.6	Not in release	Not in release	—	Not affected
python3.7	Not in release	Not in release	—	Not affected
python3.8	Not in release	Not in release	Not affected	Not affected
python3.9	Not in release	Not in release	Not affected	—
python3.10	Not in release	Not affected	—	—
python3.11	Not in release	Not affected	—	—
python3.12	Fixed	Not in release	—	—
python3.13	Not in release	Not in release	—	—
python3.14	Not in release	Not in release	—	—

CVE-2025-4330

Medium priority

Fixed

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module...

12 affected packages

python2.7, python3.4, python3.5, python3.6, python3.7...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
python2.7	Not in release	Not affected	Not affected	Not affected
python3.4	Not in release	Not in release	—	—
python3.5	Not in release	Not in release	—	—
python3.6	Not in release	Not in release	—	Not affected
python3.7	Not in release	Not in release	—	Not affected
python3.8	Not in release	Not in release	Not affected	Not affected
python3.9	Not in release	Not in release	Not affected	—
python3.10	Not in release	Not affected	—	—
python3.11	Not in release	Not affected	—	—
python3.12	Fixed	Not in release	—	—
python3.13	Not in release	Not in release	—	—
python3.14	Not in release	Not in release	—	—

Export to JSON

Results by page: