Threats Tagged 'cve-2026-2297'

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * cpython: wsgiref.headers.Headers allows header newline injection in Python (CVE-2026-0865) * cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297) * cpython: Incomplete control character validation in http.cookies (CVE-2026-3644) * cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224) * python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) * python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502) * python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100) * python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786) * python: Python: Information disclosure and arbitrary code execution via remote debugging with a malicious process. (CVE-2026-5713) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * cpython: wsgiref.headers.Headers allows header newline injection in Python (CVE-2026-0865) * cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297) * cpython: Incomplete control character validation in http.cookies (CVE-2026-3644) * cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224) * python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) * python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502) * python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100) * python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786) * python: Python: Information disclosure and arbitrary code execution via remote debugging with a malicious process. (CVE-2026-5713) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat Update Infrastructure (RHUI) container images are based on the latest RHUI RPM packages and the ubi9 or ubi9-init base images. This release updates to the latest version.

CVE-2026-2297 is a medium severity vulnerability in the Python Software Foundation's CPython implementation. It involves the import hook handling of legacy . pyc files by the SourcelessFileLoader, which inherits from FileLoader. The issue is that FileLoader does not use io. open_code() to read . pyc files, causing sys. audit handlers for this event not to trigger. This could impact auditing and monitoring of code loading activities in affected versions. The vulnerability affects CPython versions 0 through 3. 15.