Python security fixes: CVE-2026-4224,3644,4519

[Joe Locash]

3 CVE's have been fixed in Python recently mostly affecting versions before 3.15:

CVE-2026-4224 CVE-2026-3644 CVE-2026-4519

From ​https://www.openwall.com/lists/oss-security/2026/03/16/4:

There is a HIGH severity vulnerability affecting CPython.

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

Please see the linked CVE ID for the latest information on affected versions:

• ​https://www.cve.org/CVERecord?id=CVE-2026-4224
• ​https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768

From ​https://www.openwall.com/lists/oss-security/2026/03/16/5:

There is a MEDIUM severity vulnerability affecting CPython.

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Please see the linked CVE ID for the latest information on affected versions:

• ​https://www.cve.org/CVERecord?id=CVE-2026-3644
• ​https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4

From ​https://www.openwall.com/lists/oss-security/2026/03/20/1:

There is a MEDIUM severity vulnerability affecting CPython.

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Please see the linked CVE ID for the latest information on affected versions:

• ​https://www.cve.org/CVERecord?id=CVE-2026-4519
• ​https://github.com/python/cpython/pull/143931

Attached is a patch with the fixes rediffed for 3.14.3.