Pythonsoftwarefoundation Cpython
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Pythonsoftwarefoundation Cpython.
By the Year
In 2026 there have been 0 vulnerabilities in Pythonsoftwarefoundation Cpython. Last year, in 2025 Cpython had 1 security vulnerability published. Right now, Cpython is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 0.00 |
| 2024 | 4 | 6.30 |
It may take a day or so for new Cpython vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Pythonsoftwarefoundation Cpython Security Vulnerabilities
Python os.path.expandvars DoS via env var expansion
CVE-2025-6075
- October 31, 2025
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
Resource Exhaustion
Python urllib.parse SSRF Vulnerability via Improper Host Validation
CVE-2024-11168
3.7 - Low
- November 12, 2024
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
SSRF
CPython zipfile.Path Vulnerability: Infinite Loop via Malicious ZIP
CVE-2024-8088
- August 22, 2024
There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.
Infinite Loop
Python SSL tls race: ssl.SSLContext cert_store_stats()/get_ca_certs() before 3.10.14
CVE-2024-0397
7.4 - High
- June 17, 2024
A defect was discovered in the Python ssl module where there is a memory race condition with the ssl.SSLContext methods cert_store_stats() and get_ca_certs(). The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.
Race Condition
CVE-2023-6597: CPython TempDir Symlink Perm Escalation Prev 3.12
CVE-2023-6597
7.8 - High
- March 19, 2024
An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Pythonsoftwarefoundation Cpython or by Pythonsoftwarefoundation? Click the Watch button to subscribe.
