Search CVE reports


Toggle filters

1 – 10 of 43 results


CVE-2026-57585

Medium priority
Needs evaluation

MessagePack is the serializer implementation for Python msgpack.org. Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker reuse after a caught error, potentially leading to a DoS attack. If the Unpacker is...

3 affected packages

python-msgpack, python-pip, python-srsly

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
python-msgpack Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
python-pip Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
python-srsly Needs evaluation Needs evaluation Not in release
Show less packages

CVE-2026-9375

Medium priority
Vulnerable

urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three independent code paths in `response.py` that bypass the...

2 affected packages

python-urllib3, python-pip

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
python-urllib3 Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable
python-pip Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable
Show less packages

CVE-2026-45409

Medium priority

Some fixes available 3 of 14

Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as...

2 affected packages

python-idna, python-pip

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
python-idna Fixed Fixed Fixed Needs evaluation Needs evaluation
python-pip Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-8643

Medium priority
Needs evaluation

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

1 affected package

python-pip

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
python-pip Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-44432

Medium priority

Some fixes available 1 of 8

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was...

2 affected packages

python-pip, python-urllib3

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
python-pip Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
python-urllib3 Fixed Not affected Not affected Not affected Not affected
Show less packages

CVE-2026-44431

Medium priority

Some fixes available 4 of 15

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these...

2 affected packages

python-pip, python-urllib3

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
python-pip Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
python-urllib3 Fixed Fixed Fixed Needs evaluation Needs evaluation
Show less packages

CVE-2026-6357

Medium priority
Needs evaluation

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time...

1 affected package

python-pip

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
python-pip Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-3219

Medium priority
Needs evaluation

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files...

1 affected package

python-pip

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
python-pip Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-25645

Low priority
Needs evaluation

Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the...

2 affected packages

requests, python-pip

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
requests Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
python-pip Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-1703

Low priority
Vulnerable

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to...

1 affected package

python-pip

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
python-pip Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable
Show less packages