python3.12-devel (AlmaLinux:9) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the AlmaLinux:9 package python3.12-devel, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (33)
CVE-2025-4517 — CVSS 9.4 (critical): Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this…
CVE-2024-8088: There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API…
CVE-2026-6100 — CVSS 8.1 (high): Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails…
CVE-2024-9287 — CVSS 7.8 (high): A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not…
CVE-2024-7592 — CVSS 7.5 (high): There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that…
CVE-2025-4138 — CVSS 7.5 (high): Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of…
CVE-2024-12254 — CVSS 7.5 (high): Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to…
CVE-2024-4032 — CVSS 7.5 (high): The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally…
CVE-2024-6232 — CVSS 7.5 (high): There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile…
CVE-2025-13836 — CVSS 7.5 (high): When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This…
CVE-2025-4330 — CVSS 7.5 (high): Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of…
CVE-2025-4435 — CVSS 7.5 (high): When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and…
CVE-2025-59375 — CVSS 7.5 (high): libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for…
CVE-2025-8194 — CVSS 7.5 (high): There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar…
CVE-2026-3644 — CVSS 7.5 (high): The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and…
CVE-2026-4224 — CVSS 7.5 (high): When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content…
CVE-2026-4786 — CVSS 7.1 (high): Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the…
CVE-2025-0938: The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which…
CVE-2024-0450 — CVSS 6.2 (medium): An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile…
CVE-2026-0672: When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects…
CVE-2026-1299: The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email…
CVE-2025-15282: User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2025-15366: The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects…
CVE-2025-15367: The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands…
CVE-2026-2297: The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and…
CVE-2026-1502: CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
CVE-2024-6923 — CVSS 5.5 (medium): There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when…
CVE-2025-13837 — CVSS 5.5 (medium): When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and…
CVE-2025-6075 — CVSS 5.5 (medium): If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2025-12084 — CVSS 5.3 (medium): When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm…
CVE-2024-12718 — CVSS 5.3 (medium): Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside…
CVE-2025-8291 — CVSS 4.3 (medium): The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be…
CVE-2026-4519 — CVSS 3.3 (low): The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers…