In difflib module, table header in output of difflib.HtmlDiff.make_table is not escaped and can be rendered as code in the browser, leading potentially to XSS.
https://bugs.python.org/issue35603
https://github.com/python/cpython/commit/44e36e80456dabaeb59c6e2a93e0c1322bfeb179

Python versions 3.6.13, 3.7.10, 3.8.7, 3.9.2 and 3.10.0a4 use CRYPTO_memcmp() for compare_digest to try harder to be constant-time.
https://bugs.python.org/issue40791

Python versions 3.6.10, 3.7.6 and 3.8.1 fix loop.create_datagram_endpoint()'s usage of SO_REUSEADDR that allowed  by default multiple processes to bind the same port.
https://bugs.python.org/issue37228

Python versions 3.6.7 and 3.7.1 disable external entities in SAX parser to patch XML vulnerabilities.
https://bugs.python.org/issue17239

Python versions 3.9.0a6, 3.8.4, 3.7.8, 3.6.11, and 3.5.10 disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
https://bugs.python.org/issue39073

Python 2.7.16 includes a fix for CVE-2018-1000802: Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service or Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function.
https://bugs.python.org/issue34540

Python before versions 2.7.15, 3.4.9, 3.5.6, 3.6.5 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. See CVE-2018-1061.
https://bugs.python.org/issue32981

Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.

Python versions 2.7.17, 3.5.10, 3.6.10 and 3.7.5 include a fix for CVE-2019-16935: The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
https://bugs.python.org/issue38243

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." See CVE-2016-0772.

Python version 2.7.9 and 3.3.3 include a fix for CVE-2013-7440: The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
https://bugs.python.org/issue17997

Python 2.7.8 includes a fix for CVE-2014-7185: Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.
https://bugs.python.org/issue21831

Python 2.7.15 includes a fix for CVE-2018-1000030: Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.
https://bugs.python.org/issue31530

Python versions 2.7.14, 3.4.8 and 3.5.5 include a fix for CVE-2017-1000158: Integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution).
https://bugs.python.org/issue30657

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.

Python versions 2.7.16, 3.4.10, 3.5.7, 3.6.9 and 3.7.3 include a fix for CVE-2019-5010: An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
https://bugs.python.org/issue35746

Python versions 2.7.9, 3.2.6, 3.3.6 and 3.4.3 include a fix for CVE-2013-1753: The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
https://bugs.python.org/issue16043

Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

Python versions 3.6.10, 3.7.5 and 3.8.0 fix an infinite loop with short maximum line lengths in EmailPolicy.
https://bugs.python.org/issue36564

Python versions 3.6.15, 3.7.12, 3.8.12, 3.9.7 and 3.10.0rc2 fix multiple CRLF injection vulnerabilities in smtplib.
https://bugs.python.org/issue43124

Python versions 2.7.14, 3.3.7, 3.4.7, 3.5.4 and 3.6.3 fix ftplib.FTP.putline() to throw an error for a illegal command, as a remote attacker could attack by using newline characters. This issue is similar to CVE-2017-3533.
https://bugs.python.org/issue30119

Python versions 2.7.13, 3.3.7, 3.4.6 and 3.5.3 fix an arbitrary code execution in gettext.c2py().
https://python-security.readthedocs.io/vuln/gettext-c2py.html

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Python versions 2.7.17, 3.5.8, 3.6.10 and 3.7.5 include a fix for CVE-2019-9948: Urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. The issue was also found to be present in Python 3 when using URLopener class.
https://bugs.python.org/issue35907

Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679.

The e-mail module of Python 0 - 2.7.18, 3.x - 3.11 incorrectly parses e-mail addresses that contain a special character. This vulnerability allows attackers to send messages from e-mail addresses that would otherwise be rejected.
https://github.com/python/cpython/issues/102988
https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html

Python versions 3.5.10rc1, 3.6.12, 3.7.9, 3.8.4 and 3.9.0b4 include a fix for CVE-2020-14422: Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.
https://bugs.python.org/issue41004

Python versions 2.7.3 and 3.1.5 include a fix for CVE-2010-3492: The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.
https://bugs.python.org/issue6706

Python 3.7.17, 3.8.17, 3.9.17, 3.10.12 and 3.11.4 include a fix for CVE-2023-24329: An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
https://github.com/python/cpython/issues/102153
https://pointernull.com/security/python-url-parse-problem.html

Python versions 2.6.6, 2.7.0, 3.1.3 and 3.2.0 include a fix for CVE-2010-1634: Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.
https://bugs.python.org/issue8674

Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function. See CVE-2010-1450.

Lib/zipfile.py in Python allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
https://bugs.python.org/issue36260

Python versions 2.7.14, 3.3.7, 3.4.7, 3.5.4 and 3.6.2 update modules/expat to libexpat 2.2.1 to include security fixes.
https://bugs.python.org/issue29591

Python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.

Python versions 2.7.16, 3.4.10, 3.5.7, 3.6.7 and 3.7.1 include a fix for CVE-2018-14647: Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM.
https://bugs.python.org/issue34623

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Python versions 2.7.16, 3.4.10, 3.5.7, 3.6.9 and 3.7.3 include a fix for CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker.
https://bugs.python.org/issue35121

Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows.  NOTE: this issue is due to an incomplete fix for CVE-2007-4965.

Python versions 2.7.14, 3.4.7 and 3.5.4 update its dependency 'zlib' to v1.2.11 to include security fixes.
https://bugs.python.org/issue29169

Python 3.7.16, 3.8.16, 3.9.16, 3.10.6 and 3.11.0b4 include a fix for CVE-2015-20107: The mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Python versions 2.7.14, 3.4.7 and 3.5.4 update its dependency 'zlib' to v1.2.11 to include security fixes.
https://bugs.python.org/issue29169

Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument.

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

Python versions 2.7.14, 3.3.7, 3.4.7, 3.5.4 and 3.6.2 update modules/expat to libexpat 2.2.1 to include security fixes.
https://bugs.python.org/issue29591

Python 3.7.16, 3.8.16, 3.9.16 and 3.10.9 include a fix for CVE-2022-37454: Buffer overflow in the _sha3 module.
https://python-security.readthedocs.io/vuln/sha3-buffer-overflow.html

The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code: a privilege escalation vulnerability. This issue also affects old 3.x releases before 3.5.
NOTE: the vendor's position is that it is the user's responsibility to ensure C:\Python27 access control or choose a different directory because backwards compatibility requires that C:\Python27 remain the default for 2.7.x.

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. See CVE-2011-1521.

Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.

Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to "partial hashlib hashing of data exceeding 4GB."

Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google."

A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.

Python 3.6.11, 3.7.7 and 3.8.2 include a fix for CVE-2022-48560: Use After Free vulnerability via heappushpop in heapq.
https://bugs.python.org/issue39421

A vulnerability classified as problematic was found in Python 2.7.13. This vulnerability affects unknown code of the component pgAdmin4. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Python 3.4.7 and 3.5.3 remove 3DES from SSL default ciphers list, as it is vulnerable to CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
https://github.com/vstinner/cpython/commit/03d13c0cbfe912eb0f9b9a02987b9e569f25fe19

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts.

Python 2.5.6c1, 2.6.7rc2, 2.7.2, 3.2.4 and 3.3.1 include a fix for CVE-2011-4940: The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
https://python-security.readthedocs.io/vuln/simplehttpserver-utf-7.html

Python versions 2.5.5, 2.6.4 and 3.1 include a fix for CVE-2011-1015: The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.
https://bugs.python.org/issue2254

Python 3.6.14, 3.7.11, 3.8.9 and 3.9.3 include a fix for CVE-2021-4189: The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
https://python-security.readthedocs.io/vuln/ftplib-pasv.html

Python 3.7.15, 3.8.15, 3.9.15 and 3.10.8 update bundled 'libexpat' version to v2.4.9 to include a security fix.

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro.

Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules.  NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031.

Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations.  NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error.

Python versions 2.7.14, 3.4.7 and 3.5.4 update its dependency 'zlib' to v1.2.11 to include security fixes.
https://bugs.python.org/issue29169

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory.  NOTE: the vendor says "It was determined that this is a longtime behavior of Python that cannot really be altered at this point."

Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows.

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. See CVE-2016-5636.

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. See CVE-2012-1150.

SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. See CVE-2012-0845.

An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.

Python versions 2.7.14, 3.3.7, 3.4.7, 3.5.4 and 3.6.2 update modules/expat to libexpat 2.2.1 to include security fixes.
https://bugs.python.org/issue29591

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

Python versions 3.8.0b2, 3.7.4, 3.6.10, 3.5.8 and 2.7.17 include a fix for CVE-2019-10160: A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
https://bugs.python.org/issue36742

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

Python versions 2.7.17, 3.5.7, 3.6.9 and 3.7.3 include a fix for CVE-2019-9636: Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is information disclosure (credentials, cookies, etc. that are cached against a given hostname). The affected components are urllib.parse.urlsplit and urllib.parse.urlparse. The attack vector is a specially crafted URL that could be incorrectly parsed to locate cookies or authentication data and send that information to a different host.
https://bugs.python.org/issue36216

Python versions 2.7.17, 3.5.8, 3.6.9 and 3.7.4 include a fix for CVE-2019-9947: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
https://bugs.python.org/issue35906

Python 2.7.18rc1, 3.5.10rc1, 3.6.11rc1, 3.7.8rc1 and 3.8.3rc1 include a fix for CVE-2019-18348: An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.).
https://bugs.python.org/issue30458#msg347282

Python versions 2.7.17, 3.5.8, 3.6.10 and 3.7.5 include a fix for CVE-2019-16056: An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
https://bugs.python.org/issue34155

In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.

Python versions 3.6.14, 3.7.11, 3.8.10, 3.9.5 and 3.10.0 include a fix for CVE-2021-3733: There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client.
https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex2.html

An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Python versions 2.7.16, 3.4.10, 3.5.7, 3.6.7, 3.7.1 and 3.8.0 include a fix for CVE-2019-17514: Library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.
https://bugs.python.org/issue33275
https://www.vice.com/en/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies

Python versions 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14 include a fix for CVE-2022-0391: A flaw was found in Python, specifically within the urllib.parse module. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks.
https://bugs.python.org/issue43882

Python versions 2.7.9, 3.2.6, 3.3.7 and 3.4.3 include a fix for CVE-2013-1752: Smtplib and ftplib unlimited read. This issue was initially assigned a CVE but it was rejected due to the patch not working for some OSes (now fixed).
https://bugs.python.org/issue16039
https://python-security.readthedocs.io/vuln/ftplib-unlimited-read.html
https://python-security.readthedocs.io/vuln/smtplib-unlimited-read.html

Python version 3.4 includes a fix for CVE-2013-7040: Python before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.
https://bugs.python.org/issue14621

Python 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16 include a fix for CVE-2022-45061: An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302.
https://github.com/python/cpython/issues/98433
https://python-security.readthedocs.io/vuln/slow-idna-large-strings.html

Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.

Python versions 2.7.14, 3.3.7, 3.4.7, 3.5.4 and 3.6.2 update modules/expat to libexpat 2.2.1 to include security fixes.
https://bugs.python.org/issue29591

Python versions 2.7.13, 3.3.7, 3.4.6 and 3.5.3 include a fix for CVE-2016-1000110: The CGIHandler class in Python does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
https://bugs.python.org/issue27568

Python versions 2.6.9, 2.7.7, 3.2.6, 3.3.6 and 3.4.1 include a fix for CVE-2013-4238: The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
https://bugs.python.org/issue18709

Python versions 2.7.9 and 3.4.3 include a fix for CVE-2014-9365: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
https://bugs.python.org/issue22417

Python versions 2.7.7, 3.1.5, 3.2.6, 3.3.4 and 3.4.0 include a fix for CVE-2014-1912: Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.
https://bugs.python.org/issue20246

Python versions 2.7.8, 3.2.6, 3.3.6 and 3.4.2 include a fix for CVE-2014-4650: The CGIHTTPServer module in Python 2.7.5 and 3.3.4 (possible in others too) does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
https://bugs.python.org/issue21766

Python versions 2.7.7, 3.2.6, 3.3.6, 3.4.2 and 3.5.0 include a fix for CVE-2014-4616: Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.
https://bugs.python.org/issue21529

Python versions 2.7.10, 3.3.7 and 3.4.4 include a fix for CVE-2016-5699: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
https://bugs.python.org/issue22928

Python 3.7.14, 3.8.14, 3.9.14 and 3.10.6 include a fix for CVE-2021-28861: Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may lead to information disclosure. 
NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

Python versions 2.4.6 and 2.5.2 include a fix for CVE-2008-5031: Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c.  NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315.
https://bugs.python.org/issue4469

Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12.

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured.

Python version 2.6.7, 2.7.2, 3.1.4 and 3.2.0 include a fix for CVE-2010-3493: Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.
https://bugs.python.org/issue9129

Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Python versions 2.6.6, 2.7.0, 3.1.3 and 3.2.0 include a fix for CVE-2010-1634: The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.
https://bugs.python.org/issue7673

Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers an invalid pointer dereference. See CVE-2009-4134.

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).

Python 3.9.16, 3.10.9 and 3.11.0 include a fix for CVE-2022-42919: Python 3.9.x and 3.10.x through 3.10.8 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
https://github.com/python/cpython/issues/97514

Python 3.8.18, 3.9.18, 3.10.13, 3.11.5 and 3.12.0rc2 include a fix for CVE-2023-40217: It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.
https://github.com/python/cpython/issues/108310
https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY

Python 3.6.13, 3.7.10, 3.8.7, 3.9.1 and 3.10.0a3 include a fix for CVE-2022-48566: Observable Timing Discrepancy vulnerability in compare_digest in Lib/hmac.py. The fix includes constant-time-defeating optimizations were possible in the accumulator variable in hmac.compare_digest.
https://bugs.python.org/issue40791

Python 3.6.13, 3.7.10, 3.8.7 and 3.9.1 include a fix for CVE-2022-48565: XML External Entity vulnerability. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
https://bugs.python.org/issue42051

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

Python versions 3.6.13, 3.7.10, 3.8.8 and 3.9.2 include a fix for CVE-2021-23336: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
https://bugs.python.org/issue42967
https://github.com/python/cpython/pull/24297

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Python 3.5.10, 3.6.12, 3.7.9, 3.8.4 and 3.9.0 include a fix for CVE-2020-15523: A Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). 
#NOTE: This vulnerability affects only users of Windows.
#NOTE2: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.
https://python-security.readthedocs.io/vuln/pysetpath-python-dll-path.html

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Python 3.7.13, 3.8.13, 3.9.11 and 3.10.3 update bundled libexpat version to v2.4.6 to include security fixes.

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.