Mailman 3 - Security-announce

[CVE-2026-3087] shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
by Seth Larson April 27, 2026

April 27, 2026

There is a MEDIUM severity vulnerability affecting CPython. If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-3087 * https://github.com/python/cpython/pull/146591

1 0

[CVE-2026-6357] pip self-update functionality can import newly installed modules after wheel installation
by Seth Larson April 27, 2026

April 27, 2026

There is a MEDIUM severity vulnerability affecting the pip project. pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-6357 * https://github.com/pypa/pip/pull/13923

1 0

[CVE-2026-6019] BaseCookie.js_output() does not neutralize characters in cookie value embedded in JS
by Seth Larson April 22, 2026

April 22, 2026

There is a LOW severity vulnerability affecting CPython. http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-6019 * https://github.com/python/cpython/pull/148848

1 0

[CVE-2026-3298] Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes
by Seth Larson April 21, 2026

April 21, 2026

There is a HIGH severity vulnerability affecting {project}. The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-3298 * https://github.com/python/cpython/pull/148809

1 0

[CVE-2026-3219] pip doesn't reject concatenated ZIP and tar archives
by Seth Larson April 20, 2026

April 20, 2026

There is a MEDIUM severity vulnerability affecting pip. pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-3219 * https://github.com/pypa/pip/pull/13870

1 0

[CVE-2026-5713] Out-of-bounds read/write during remote debugging when connecting to malicious target
by Seth Larson April 14, 2026

April 14, 2026

There is a MEDIUM severity vulnerability affecting CPython. The Python remote debugging feature could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-5713 * https://github.com/python/cpython/pull/148187

1 0

[CVE-2026-4786] Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
by Seth Larson April 13, 2026

April 13, 2026

There is a HIGH severity vulnerability affecting CPython. Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-4786 * https://github.com/python/cpython/pull/148170

1 0

[CVE-2026-6100] Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
by Seth Larson April 13, 2026

April 13, 2026

There is a CRITICAL severity vulnerability affecting CPython. Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is created for each call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-6100 * https://github.com/python/cpython/pull/148396

1 0

Title: [CVE-2026-3446] Base64 decoding stops at first padded quad by default
by Seth Larson April 10, 2026

April 10, 2026

There is a MEDIUM severity vulnerability affecting {project}. When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "strict=True" to enable stricter processing of base64 data. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-3446 * https://github.com/python/cpython/pull/145267

1 0

[CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF
by Seth Larson April 10, 2026

April 10, 2026

There is a MEDIUM severity vulnerability affecting CPython. CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-1502 * https://github.com/python/cpython/pull/146212

1 0