python39-toml (AlmaLinux:8) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the AlmaLinux:8 package python39-toml, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (44)
CVE-2021-29921 — CVSS 9.8 (critical): In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some…
CVE-2007-4559 — CVSS 9.8 (critical): Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted…
CVE-2025-4517 — CVSS 9.4 (critical): Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this…
CVE-2025-47273 — CVSS 8.8 (high): setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal…
CVE-2024-6345 — CVSS 8.8 (high): A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download…
CVE-2024-8088: There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API…
CVE-2021-43818 — CVSS 8.2 (high): lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain…
CVE-2023-6597 — CVSS 7.8 (high): An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and…
CVE-2024-9287 — CVSS 7.8 (high): A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not…
CVE-2022-42919 — CVSS 7.8 (high): Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python…
CVE-2015-20107 — CVSS 7.6 (high): In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap…
CVE-2023-24329 — CVSS 7.5 (high): An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that…
CVE-2020-10735 — CVSS 7.5 (high): A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could…
CVE-2021-33503 — CVSS 7.5 (high): An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the…
CVE-2021-3737 — CVSS 7.5 (high): A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls…
CVE-2022-2255 — CVSS 7.5 (high): A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker…
CVE-2022-45061 — CVSS 7.5 (high): An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the…
CVE-2024-3651 — CVSS 7.5 (high): A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue…
CVE-2024-4032 — CVSS 7.5 (high): The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally…
CVE-2024-6232 — CVSS 7.5 (high): There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile…
CVE-2025-4138 — CVSS 7.5 (high): Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of…
CVE-2025-4330 — CVSS 7.5 (high): Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of…
CVE-2025-4435 — CVSS 7.5 (high): When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and…
CVE-2025-8194 — CVSS 7.5 (high): There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar…
CVE-2021-28861 — CVSS 7.4 (high): Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the…
CVE-2024-5642 — CVSS 6.5 (medium): CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for…
CVE-2021-3733 — CVSS 6.5 (medium): There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as…
CVE-2025-0938: The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which…
CVE-2024-0450 — CVSS 6.2 (medium): An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile…
CVE-2021-28957 — CVSS 6.1 (medium): An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms…
CVE-2023-32681 — CVSS 6.1 (medium): Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when…
CVE-2025-4516: There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape"…
CVE-2022-40897 — CVSS 5.9 (medium): Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted…
CVE-2023-43804 — CVSS 5.9 (medium): urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers…
CVE-2021-3426 — CVSS 5.7 (medium): There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to…
CVE-2021-3572 — CVSS 5.7 (medium): A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue…
CVE-2025-6075 — CVSS 5.5 (medium): If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2024-6923 — CVSS 5.5 (medium): There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when…
CVE-2023-27043 — CVSS 5.3 (medium): The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an…
CVE-2023-40217 — CVSS 5.3 (medium): An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects…
CVE-2023-23931 — CVSS 4.8 (medium): cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions…
CVE-2025-6069 — CVSS 4.3 (medium): The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading…
CVE-2025-8291 — CVSS 4.3 (medium): The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be…
CVE-2024-11168 — CVSS 3.7 (low): The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or…