python-base (SUSE:Linux Enterprise Module for Package Hub 15 SP7) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Module for Package Hub 15 SP7 package python-base, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (24)
CVE-2026-6100 — CVSS 8.1 (high): Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails…
CVE-2025-8194 — CVSS 7.5 (high): There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar…
CVE-2026-3644 — CVSS 7.5 (high): The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and…
CVE-2024-7592 — CVSS 7.5 (high): There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that…
CVE-2025-13836 — CVSS 7.5 (high): When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This…
CVE-2026-4224 — CVSS 7.5 (high): When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content…
CVE-2026-4786 — CVSS 7.1 (high): Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the…
CVE-2026-6019 — CVSS 6.1 (medium): http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize…
CVE-2026-1299: The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email…
CVE-2026-0672: When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects…
CVE-2026-3446: When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of…
CVE-2025-15367: The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands…
CVE-2026-0865: User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2025-15366: The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects…
CVE-2025-6075 — CVSS 5.5 (medium): If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2025-12084 — CVSS 5.3 (medium): When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm…
CVE-2026-6357: pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python…
CVE-2026-3219: pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior…
CVE-2025-6069 — CVSS 4.3 (medium): The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading…
CVE-2025-8291 — CVSS 4.3 (medium): The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be…
CVE-2026-4519 — CVSS 3.3 (low): The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers…
CVE-2025-13462 — CVSS 3.3 (low): The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such…
CVE-2026-1703: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The…
CVE-2026-3479: DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as…