Cpython
This hub aggregates every CVE we track for Cpython, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
52
CVEs tracked
3
Critical
23
High
0
In CISA KEV
Severity distribution
HIGH23MEDIUM22LOW4CRITICAL3
Monthly trend
3
1
1
1
1
1
1
0
0
1
6
1
0
0
2
1
3
8
0
5
5
1
1
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Cpython.
- BDU:2026-08551Уязвимость функции ast_for_if_stmt() интерпретатора языка программирования Python (CPython), связанная с ошибками разыменования указателей, позволяющая нарушителю вызвать отказ в обслуживании5.5
- CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection7.5
- CVE-2026-3087shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs7.5
- CVE-2026-6019BaseCookie.js_output() does not neutralize embedded characters6.1
- CVE-2026-5713Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target5.6
- CVE-2026-4786Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()7.1
- CVE-2026-6100Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure8.1
- CVE-2026-4519webbrowser.open() allows leading dashes in URLs3.3
- CVE-2026-4224Stack overflow parsing XML with deeply nested DTD content models7.5
- CVE-2026-3644Incomplete control character validation in http.cookies7.5
- CVE-2025-13462tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling3.3
- CVE-2026-2297SourcelessFileLoader does not use io.open_code()5.5
- CVE-2026-1299email BytesGenerator header injection due to unquoted newlines7.1
- CVE-2025-12781base64.b64decode() always accepts "+/" characters, despite setting altchars5.3
- CVE-2026-0672Header injection in http.cookies.Morsel7.1
Product normalization is registry-driven with AI assist and human review. How it works