I completed my list: the 30 CVE are now listed on my page! Well, except of two special cases: * CVE-2016-1494: vulnerability in the 3rd party module "python-rsa" * CVE-2015-5652: sys.path on Windows -- not fixed See also my notes on sys.path: http://python-security.readthedocs.io/#misc The last major vulnerability not documented yet is cookielib which has a long story. I don't know yet how to summarize it as individual "vulnerabilities". https://hackerone.com/reports/26647 https://bugs.python.org/issue16611 #16611: BaseCookie now parses 'secure' and 'httponly' flags. https://bugs.python.org/issue22796 Regression in Python 3.2 cookie parsing https://bugs.python.org/issue25228 Support for httponly/secure cookies reintroduced lax parsing behavior https://code.djangoproject.com/ticket/26158 cookie parsing fails with python 3.x if request contains unnamed cookie Victor