Mailman 3 March 2026 - Security-announce

[CVE-2026-4519] webbrowser.open() API allows leading dashes
by Seth Larson March 20, 2026

March 20, 2026

There is a MEDIUM severity vulnerability affecting CPython. The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-4519 * https://github.com/python/cpython/pull/143931

1 0

[CVE-2026-3479] pkgutil.get_data does not enforce documented restrictions
by Stan Ulbrych March 18, 2026

March 18, 2026

There is a LOW severity vulnerability affecting CPython. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-3479 * https://github.com/python/cpython/pull/146122

1 0

[CVE-2026-4224] Stack overflow parsing XML with deeply nested DTD content models
by Stan Ulbrych March 16, 2026

March 16, 2026

There is a HIGH severity vulnerability affecting CPython. When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-4224 * https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf…

1 0

[CVE-2026-3644] Incomplete control character validation in http.cookies
by Stan Ulbrych March 16, 2026

March 16, 2026

There is a MEDIUM severity vulnerability affecting CPython. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-3644 * https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d… -- Best regards, Stan Ulbrych.

1 0

[CVE-2025-13462]: tarfile: Skip DIRTYPE normalization during GNU long name and link handling
by Seth Larson March 12, 2026

March 12, 2026

There is a LOW severity vulnerability affecting CPython. The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2025-13462 * https://github.com/python/cpython/pull/143934

1 0

[CVE-2026-2297] SourcelessFileLoader does not use io.open_code()
by Seth Larson March 4, 2026

March 4, 2026

There is a MEDIUM severity vulnerability affecting CPython. The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-2297 * https://github.com/python/cpython/pull/145507

1 0