﻿id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
5972	Python security fixes: CVE-2026-4360 and 15308	Joe Locash	lfs-book	"2 CVE's have been fixed in Python recently, the one reported today has a high severity.

{{{
From: Petr Viktorin via Security-announce <security-announce@python.org>
Date: Tue, 30 Jun 2026 13:45:44 +0200
Subject: [Security-announce][CVE-2026-4360] Tarfile.extract doesn't fully respect filter parameter
There is a LOW severity vulnerability affecting CPython.

In the Tarfile.extract function, the filter parameter is not passed
properly called when extracting hardlinks. An affected system that
extracts content from untrusted tar files could end up writing files
with an unexpected uid/gid despite the user passing filter='data' to the
extract function.

Please see the linked CVE ID for the latest information on affected
versions:

* https://www.cve.org/CVERecord?id=CVE-2026-4360
* https://github.com/python/cpython/pull/151988
}}}

Upstream PR for the 3.14 branch: https://github.com/python/cpython/pull/152609


{{{
From: Seth Larson <seth@python.org>
Date: Thu, 9 Jul 2026 17:08:21 +0000
Subject: [Security-announce][CVE-2026-15308] Incremental HTMLParser allows CPU-exhaustion DoS via repeated unterminated markup declarations

There is a HIGH severity vulnerability affecting CPython.

The incremental HTML parser (html.parser.HTMLParser) allows for CPU
denial-of-service through repeated unterminated markup declarations when
processing uncontrolled data.

Please see the linked CVE ID for the latest information on affected
versions:

* https://www.cve.org/CVERecord?id=CVE-2026-15308
* https://github.com/python/cpython/pull/153031
}}}
Upstream PR for the 3.14 branch: https://github.com/python/cpython/pull/153039

Patches attached for both.
"	enhancement	new	high	13.1	Book	git	normal			
