Search for packages
| purl | pkg:deb/debian/python3.13@3.13.5-2?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1uk5-6yqb-dyb5
Aliases: CVE-2025-13837 |
cpython: Out-of-memory when loading Plist |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-8b19-pezx-6bcd
Aliases: CVE-2026-0865 |
cpython: wsgiref.headers.Headers allows header newline injection in Python |
Affected by 1 other vulnerability. |
|
VCID-8dtv-379a-wqfs
Aliases: CVE-2025-13836 |
cpython: Excessive read buffering DoS in http.client |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-94n7-6q4s-3udv
Aliases: CVE-2025-15282 |
cpython: Header injection via newlines in data URL mediatype in Python |
Affected by 1 other vulnerability. |
|
VCID-bn83-d2qp-9bfy
Aliases: CVE-2025-11468 |
cpython: Missing character filtering in Python |
Affected by 1 other vulnerability. |
|
VCID-emaw-jmek-9bcy
Aliases: CVE-2025-6069 |
cpython: Python HTMLParser quadratic complexity |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-fcsb-dn49-47gy
Aliases: CVE-2025-6075 |
python: Quadratic complexity in os.path.expandvars() with user-controlled template |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-kn9b-2gxw-gqgx
Aliases: CVE-2026-1299 |
cpython: email header injection due to unquoted newlines |
Affected by 1 other vulnerability. |
|
VCID-mtk7-qut6-syd8
Aliases: CVE-2025-8194 |
cpython: Cpython infinite loop when parsing a tarfile |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-nqqc-u8d5-8qf6
Aliases: CVE-2025-12084 |
cpython: python: cpython: Quadratic algorithm in xml.dom.minidom leads to denial of service |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-zh1r-7rzh-2bez
Aliases: CVE-2026-0672 |
cpython: Header injection in http.cookies.Morsel in Python |
Affected by 1 other vulnerability. |
|
VCID-znkr-fxtj-4uc7
Aliases: CVE-2025-8291 |
cpython: python: Python zipfile End of Central Directory (EOCD) Locator record offset not checked |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1hw3-vhwb-nkcd | Multiple vulberabilities have been discovered in Python and PyPy, the worst of which can lead to privilege escalation. |
CVE-2024-12718
|
| VCID-2v5u-2z4w-ffgx | python: incorrect IPv4 and IPv6 private ranges |
CVE-2024-4032
|
| VCID-4afh-28ss-mudf | Multiple vulberabilities have been discovered in Python and PyPy, the worst of which can lead to privilege escalation. |
CVE-2025-4138
|
| VCID-5maz-1h1k-3qfj | Multiple vulberabilities have been discovered in Python and PyPy, the worst of which can lead to privilege escalation. |
CVE-2025-4516
|
| VCID-757r-fs6p-qqdd | Multiple vulberabilities have been discovered in Python and PyPy, the worst of which can lead to privilege escalation. |
CVE-2025-4517
|
| VCID-7s7y-9bw5-m3ep | Multiple vulberabilities have been discovered in Python and PyPy, the worst of which can lead to privilege escalation. |
CVE-2024-6232
|
| VCID-8hug-fhhb-sbgt | python: Invalid value for OpenSSL API may cause Buffer over-read when NPN is used |
CVE-2024-5642
|
| VCID-8zdt-4q7m-t7ht | Multiple vulberabilities have been discovered in Python and PyPy, the worst of which can lead to privilege escalation. |
CVE-2025-4330
|
| VCID-9nvp-aus1-9yed | Multiple vulberabilities have been discovered in Python and PyPy, the worst of which can lead to privilege escalation. |
CVE-2024-6923
|
| VCID-9sms-mhht-n3aq | python: Mishandling of comma during folding and unicode-encoding of email headers |
CVE-2025-1795
|
| VCID-dnv8-yrd6-c7cv | Multiple vulberabilities have been discovered in Python and PyPy, the worst of which can lead to privilege escalation. |
CVE-2024-8088
|
| VCID-e6sb-bh7v-9ugg | python: cpython: URL parser allowed square brackets in domain names |
CVE-2025-0938
|
| VCID-gar7-7upf-d7cz | Python-Markdown has an Uncaught Exception Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions. |
CVE-2025-69534
GHSA-5wmx-573v-2qwq |
| VCID-q6g1-cjz3-77e4 | cpython: Tarfile extracts filtered members when errorlevel=0 |
CVE-2025-4435
|
| VCID-qwhz-912b-8kh5 | cpython: python: Memory race condition in ssl.SSLContext certificate store methods |
CVE-2024-0397
|
| VCID-s5yq-pjhc-fbcm | python: Default mimetype known files writeable on Windows |
CVE-2024-3220
|
| VCID-tbuw-2msj-tqd9 | python: Virtual environment (venv) activation scripts don't quote paths |
CVE-2024-9287
|
| VCID-uvcx-satp-m3db | python: Unbounded memory buffering in SelectorSocketTransport.writelines() |
CVE-2024-12254
|
| VCID-v186-7sv1-ubej | Multiple vulberabilities have been discovered in Python and PyPy, the worst of which can lead to privilege escalation. |
CVE-2024-7592
|
| VCID-ymg5-42xm-7fh9 | The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included. |
CVE-2024-3219
|
| VCID-zxzn-25zt-ukct | Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details. |
CVE-2026-4786
|