Audit Event Bypass in CPython FileLoader before 3.15.0
CVE-2026-2297 Published on March 4, 2026

SourcelessFileLoader does not use io.open_code()
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

NVD

Products Associated with CVE-2026-2297

Want to know whenever a new CVE is published for Cpython? stack.watch will email you.

Cpython

Affected Versions

Python Software Foundation CPython:

Before 3.15.0 is affected.

Exploit Probability

EPSS

0.01%

Percentile

2.42%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Audit Event Bypass in CPython FileLoader before 3.15.0CVE-2026-2297 Published on March 4, 2026

Products Associated with CVE-2026-2297

Affected Versions

Exploit Probability

Audit Event Bypass in CPython FileLoader before 3.15.0
CVE-2026-2297 Published on March 4, 2026