| Package | Installed | Affected | Info |
|---|---|---|---|
| lxml | 6.0.4 | <6.1.0 |
show Affected versions of the lxml package are vulnerable to XML External Entity Injection due to insecure default parser configuration that resolves external entities. The iterparse() function and the ETCompatXMLParser() class both default to resolve_entities=True, so untrusted XML input processed through either parser will expand external entity references and read referenced local files from the host. An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output. |
| urllib3 | 2.6.3 | >=1.23,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path. |
| urllib3 | 2.6.3 | >=2.6.0,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion. |
| Package | Installed | Affected | Info |
|---|---|---|---|
| idna | 3.11 | <3.15 |
show Affected versions of the idna package are vulnerable to Denial of Service due to an incomplete fix for CVE-2024-3651 that still allows specially crafted inputs to consume significant resources during encoding. The idna.encode() function invokes the valid_contexto validator on every label before applying length-based rejection, so payloads such as long repetitions of the Arabic-Indic digit U+0660 or sequences of the Katakana middle dot U+30FB followed by a CJK character cause valid_contexto to perform extensive context-rule processing across each character. A remote attacker who can supply domain-name input to an application that calls idna.encode() without first enforcing the 253-character DNS length limit can submit arbitrarily large strings that drive the validator to exhaust CPU time, resulting in Denial of Service through resource consumption. |
| lxml | 6.0.4 | <6.1.0 |
show Affected versions of the lxml package are vulnerable to XML External Entity Injection due to insecure default parser configuration that resolves external entities. The iterparse() function and the ETCompatXMLParser() class both default to resolve_entities=True, so untrusted XML input processed through either parser will expand external entity references and read referenced local files from the host. An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output. |
| urllib3 | 2.6.3 | >=1.23,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path. |
| urllib3 | 2.6.3 | >=2.6.0,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion. |
| Package | Installed | Affected | Info |
|---|---|---|---|
| lxml | 6.0.4 | <6.1.0 |
show Affected versions of the lxml package are vulnerable to XML External Entity Injection due to insecure default parser configuration that resolves external entities. The iterparse() function and the ETCompatXMLParser() class both default to resolve_entities=True, so untrusted XML input processed through either parser will expand external entity references and read referenced local files from the host. An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output. |
| urllib3 | 2.6.3 | >=1.23,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path. |
| urllib3 | 2.6.3 | >=2.6.0,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion. |
| Package | Installed | Affected | Info |
|---|---|---|---|
| lxml | 6.0.4 | <6.1.0 |
show Affected versions of the lxml package are vulnerable to XML External Entity Injection due to insecure default parser configuration that resolves external entities. The iterparse() function and the ETCompatXMLParser() class both default to resolve_entities=True, so untrusted XML input processed through either parser will expand external entity references and read referenced local files from the host. An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output. |
| urllib3 | 2.6.3 | >=1.23,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path. |
| urllib3 | 2.6.3 | >=2.6.0,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion. |
| Package | Installed | Affected | Info |
|---|---|---|---|
| urllib3 | 2.6.3 | >=1.23,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path. |
| urllib3 | 2.6.3 | >=2.6.0,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion. |
| Package | Installed | Affected | Info |
|---|---|---|---|
| lxml | 6.0.4 | <6.1.0 |
show Affected versions of the lxml package are vulnerable to XML External Entity Injection due to insecure default parser configuration that resolves external entities. The iterparse() function and the ETCompatXMLParser() class both default to resolve_entities=True, so untrusted XML input processed through either parser will expand external entity references and read referenced local files from the host. An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output. |
| urllib3 | 2.6.3 | >=1.23,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path. |
| urllib3 | 2.6.3 | >=2.6.0,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion. |
| Package | Installed | Affected | Info |
|---|---|---|---|
| lxml | 6.0.4 | <6.1.0 |
show Affected versions of the lxml package are vulnerable to XML External Entity Injection due to insecure default parser configuration that resolves external entities. The iterparse() function and the ETCompatXMLParser() class both default to resolve_entities=True, so untrusted XML input processed through either parser will expand external entity references and read referenced local files from the host. An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output. |
| urllib3 | 2.6.3 | >=1.23,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path. |
| urllib3 | 2.6.3 | >=2.6.0,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion. |
| Package | Installed | Affected | Info |
|---|---|---|---|
| lxml | 6.0.4 | <6.1.0 |
show Affected versions of the lxml package are vulnerable to XML External Entity Injection due to insecure default parser configuration that resolves external entities. The iterparse() function and the ETCompatXMLParser() class both default to resolve_entities=True, so untrusted XML input processed through either parser will expand external entity references and read referenced local files from the host. An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output. |
| urllib3 | 2.6.3 | >=1.23,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path. |
| urllib3 | 2.6.3 | >=2.6.0,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion. |
| Package | Installed | Affected | Info |
|---|---|---|---|
| lxml | 6.0.4 | <6.1.0 |
show Affected versions of the lxml package are vulnerable to XML External Entity Injection due to insecure default parser configuration that resolves external entities. The iterparse() function and the ETCompatXMLParser() class both default to resolve_entities=True, so untrusted XML input processed through either parser will expand external entity references and read referenced local files from the host. An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output. |
| urllib3 | 2.6.3 | >=1.23,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Information Disclosure due to improper handling of sensitive headers during cross-origin redirects in the low-level proxy API. When following cross-origin redirects via ProxyManager.connection_from_url().urlopen() with assert_same_host=False, sensitive headers including Authorization, Cookie, and Proxy-Authorization are not stripped, unlike the high-level API, which removes them via Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT. An attacker controlling a redirect target can capture these sensitive headers from requests that follow cross-origin redirects through the low-level proxy API path. |
| urllib3 | 2.6.3 | >=2.6.0,<2.7.0 |
show Affected versions of the urllib3 package are vulnerable to Denial of Service due to bypassed decompression-bomb safeguards in the streaming API. When using HTTPResponse.read(amt=N) with the official Brotli library, the second call decompresses the entire response instead of only the requested portion, and HTTPResponse.drain_conn() called after partial decompression, likewise decodes the full response in a single operation. An attacker serving a highly compressed response can cause excessive CPU usage and massive memory allocation on the client, leading to resource exhaustion. |
| Package | Installed | Affected | Info |
|---|---|---|---|
| lxml | 6.0.4 | <6.1.0 |
show Affected versions of the lxml package are vulnerable to XML External Entity Injection due to insecure default parser configuration that resolves external entities. The iterparse() function and the ETCompatXMLParser() class both default to resolve_entities=True, so untrusted XML input processed through either parser will expand external entity references and read referenced local files from the host. An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output. |
| Package | Installed | Affected | Info |
|---|---|---|---|
| lxml | 6.0.4 | <6.1.0 |
show Affected versions of the lxml package are vulnerable to XML External Entity Injection due to insecure default parser configuration that resolves external entities. The iterparse() function and the ETCompatXMLParser() class both default to resolve_entities=True, so untrusted XML input processed through either parser will expand external entity references and read referenced local files from the host. An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output. |
https://pyup.io/repos/github/mzollin/qr-pirate/python-3-shield.svg
[](https://pyup.io/repos/github/mzollin/qr-pirate/)
.. image:: https://pyup.io/repos/github/mzollin/qr-pirate/python-3-shield.svg
:target: https://pyup.io/repos/github/mzollin/qr-pirate/
:alt: Python 3
<a href="https://pyup.io/repos/github/mzollin/qr-pirate/"><img src="https://pyup.io/repos/github/mzollin/qr-pirate/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/mzollin/qr-pirate/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/mzollin/qr-pirate/
{<img src="https://pyup.io/repos/github/mzollin/qr-pirate/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/mzollin/qr-pirate/]
https://pyup.io/repos/github/mzollin/qr-pirate/shield.svg
[](https://pyup.io/repos/github/mzollin/qr-pirate/)
.. image:: https://pyup.io/repos/github/mzollin/qr-pirate/shield.svg
:target: https://pyup.io/repos/github/mzollin/qr-pirate/
:alt: Updates
<a href="https://pyup.io/repos/github/mzollin/qr-pirate/"><img src="https://pyup.io/repos/github/mzollin/qr-pirate/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/mzollin/qr-pirate/shield.svg(Updates)!:https://pyup.io/repos/github/mzollin/qr-pirate/
{<img src="https://pyup.io/repos/github/mzollin/qr-pirate/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/mzollin/qr-pirate/]