python311-core (SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSS) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSS package python311-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (22)
CVE-2025-4517 — CVSS 9.4 (critical): Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this…
CVE-2025-4138 — CVSS 7.5 (high): Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of…
CVE-2026-3644 — CVSS 7.5 (high): The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and…
CVE-2025-4330 — CVSS 7.5 (high): Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of…
CVE-2026-4224 — CVSS 7.5 (high): When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content…
CVE-2025-13836 — CVSS 7.5 (high): When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This…
CVE-2025-15282: User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2026-0672: When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects…
CVE-2025-4516: There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape"…
CVE-2025-15367: The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands…
CVE-2026-0865: User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2025-15366: The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects…
CVE-2025-11468: When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This…
CVE-2025-13837 — CVSS 5.5 (medium): When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and…
CVE-2025-6075 — CVSS 5.5 (medium): If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2024-12718 — CVSS 5.3 (medium): Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside…
CVE-2025-12084 — CVSS 5.3 (medium): When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm…
CVE-2025-12781 — CVSS 5.3 (medium): When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/"…
CVE-2025-8291 — CVSS 4.3 (medium): The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be…
CVE-2025-13462 — CVSS 3.3 (low): The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such…
CVE-2026-4519 — CVSS 3.3 (low): The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers…
CVE-2026-3479: DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as…