Search CVE reports
101 – 110 of 827 results
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to...
1 affected package
python-pip
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-pip | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Vulnerable |
SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.
1 affected package
python-geopandas
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-geopandas | — | Fixed | Fixed | Not affected | Not affected |
Some fixes available 2 of 4
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can...
1 affected package
python-multipart
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-multipart | Vulnerable | Fixed | Fixed | — | — |
Some fixes available 1 of 24
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if...
13 affected packages
pypy3, python2.7, python3.4, python3.5, python3.6...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| pypy3 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | — |
| python2.7 | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| python3.4 | Not in release | Not in release | Not in release | — | — |
| python3.5 | Not in release | Not in release | Not in release | — | — |
| python3.6 | Not in release | Not in release | Not in release | — | Needs evaluation |
| python3.7 | Not in release | Not in release | Not in release | — | Needs evaluation |
| python3.8 | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
| python3.9 | Not in release | Not in release | Not in release | Needs evaluation | — |
| python3.10 | Not in release | Not in release | Needs evaluation | — | — |
| python3.11 | Not in release | Not in release | Needs evaluation | — | — |
| python3.12 | Not in release | Needs evaluation | Not in release | — | — |
| python3.13 | Not in release | Not in release | Not in release | — | — |
| python3.14 | Fixed | Not in release | Not in release | — | — |
Some fixes available 1 of 10
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions...
2 affected packages
wheel, python-pip
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| wheel | Not affected | Fixed | Not affected | Not affected | Not affected |
| python-pip | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to...
13 affected packages
pypy3, python2.7, python3.4, python3.5, python3.6...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| pypy3 | Ignored | Ignored | Ignored | Ignored | — |
| python2.7 | Not in release | Not in release | Ignored | Ignored | Ignored |
| python3.4 | Not in release | Not in release | Not in release | — | — |
| python3.5 | Not in release | Not in release | Not in release | — | — |
| python3.6 | Not in release | Not in release | Not in release | — | Ignored |
| python3.7 | Not in release | Not in release | Not in release | — | Ignored |
| python3.8 | Not in release | Not in release | Not in release | Ignored | Ignored |
| python3.9 | Not in release | Not in release | Not in release | Ignored | — |
| python3.10 | Not in release | Not in release | Ignored | — | — |
| python3.11 | Not in release | Not in release | Ignored | — | — |
| python3.12 | Not in release | Ignored | Not in release | — | — |
| python3.13 | Not in release | Not in release | Not in release | — | — |
| python3.14 | Ignored | Not in release | Not in release | — | — |
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business...
1 affected package
python-keycloak
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-keycloak | Not in release | Needs evaluation | Not in release | — | — |
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation...
1 affected package
python-keycloak
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python-keycloak | Not in release | Needs evaluation | Not in release | — | — |
User-controlled header names and values containing newlines can allow injecting HTTP headers.
12 affected packages
python2.7, python3.4, python3.5, python3.6, python3.7...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python2.7 | Not in release | Not in release | Fixed | Fixed | Fixed |
| python3.4 | Not in release | Not in release | Not in release | — | — |
| python3.5 | Not in release | Not in release | Not in release | — | — |
| python3.6 | Not in release | Not in release | Not in release | — | Fixed |
| python3.7 | Not in release | Not in release | Not in release | — | Fixed |
| python3.8 | Not in release | Not in release | Not in release | Fixed | Fixed |
| python3.9 | Not in release | Not in release | Not in release | Fixed | — |
| python3.10 | Not in release | Not in release | Fixed | — | — |
| python3.11 | Not in release | Not in release | Fixed | — | — |
| python3.12 | Not in release | Fixed | Not in release | — | — |
| python3.13 | Not in release | Not in release | Not in release | — | — |
| python3.14 | Not affected | Not in release | Not in release | — | — |
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
12 affected packages
python2.7, python3.4, python3.5, python3.6, python3.7...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| python2.7 | Not in release | Not in release | Fixed | Fixed | Fixed |
| python3.4 | Not in release | Not in release | Not in release | — | — |
| python3.5 | Not in release | Not in release | Not in release | — | — |
| python3.6 | Not in release | Not in release | Not in release | — | Fixed |
| python3.7 | Not in release | Not in release | Not in release | — | Fixed |
| python3.8 | Not in release | Not in release | Not in release | Fixed | Fixed |
| python3.9 | Not in release | Not in release | Not in release | Fixed | — |
| python3.10 | Not in release | Not in release | Fixed | — | — |
| python3.11 | Not in release | Not in release | Fixed | — | — |
| python3.12 | Not in release | Fixed | Not in release | — | — |
| python3.13 | Not in release | Not in release | Not in release | — | — |
| python3.14 | Not affected | Not in release | Not in release | — | — |