python security

A newly disclosed Python security issue, tracked as CVE-2026-3479, shows that pkgutil.get_data() did not enforce the path-safety rules its documentation promised. In practice, that meant callers could pass resource names that enabled path traversal instead of being constrained to a...

The Microsoft Security Response Center page for CVE-2026-3644 currently appears to be unavailable, but the underlying issue is not mysterious: it points to incomplete control character validation in Python’s http.cookies module, a class of bug that can let attacker-controlled cookie data bleed...

A deceptively small parsing flaw in the popular Python WSGI utility library Werkzeug can be turned into a powerful denial-of-service weapon: specially crafted multipart/form-data uploads that start with a carriage return (CR) or line feed (LF), followed by megabytes of data without additional...

The discovery and coordinated patching of CVE-2024-0450 closes a subtle but consequential gap in CPython’s zipfile module: quoted‑overlap zip‑bombs that can weaponize compliant ZIP metadata to force excessive, asymmetric resource consumption during extraction. The Python Security Team, upstream...

A Microsoft Security Response Center (MSRC) entry now lists CVE-2026-21226 — a reported remote code execution (RCE) class vulnerability in the Azure Core shared client library for Python — but public technical detail is limited and the vendor’s own “confidence” metric indicates the disclosure is...

filelock, the widely used platform‑independent file‑locking library for Python, is the subject of a newly public vulnerability — CVE‑2025‑68146 — that exposes a classic Time‑of‑Check‑Time‑of‑Use (TOCTOU) race condition in lock file creation. The flaw allows a local attacker who can create...

A newly disclosed vulnerability in the widely used Python HTTP library urllib3 can let small, highly compressed responses force clients to decompress massive amounts of data — consuming CPU and memory and causing denial-of-service conditions for applications that stream HTTP responses. The...

A critical denial-of-service vulnerability has been disclosed in the ubiquitous Python HTTP client library urllib3 that allows a remote server to trigger excessive CPU and memory consumption by specifying an unbounded chain of content encodings in an HTTP response; the flaw affects urllib3...

A subtle but consequential performance flaw in CPython’s xml.dom.minidom has been assigned CVE‑2025‑12084 after maintainers confirmed a quadratic‑time behavior in the node ID cache clearing routine that can be triggered when constructing deeply nested XML documents; the defect has been fixed...

A newly recorded weakness in Python’s standard HTTP client lets a malicious server force a client process to allocate huge amounts of memory by abusing the Content-Length handling, creating a remote Denial‑of‑Service (DoS) and out‑of‑memory (OOM) risk for applications that use the library...