usn-8018-2
Vulnerability from osv_ubuntu
USN-8018-1 fixed vulnerabilities in python3. That update introduced regressions. The patches for CVE-2025-15366 and CVE-2025-15367 caused behavior regressions in IMAP and POP3 handling, which upstream chose to avoid by not backporting them. Additionally, the patch for CVE-2026-0865 incorrectly rejected horizontal tabs in wsgiref headers. This update fixes these problems.
We apologize for the inconvenience.
Original advisory details:
Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages. This issue only affected python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. (CVE-2025-11468)
Jacob Walls, Shai Berger, and Natalia Bidart discovered that Python inefficiently parsed XML input with quadratic complexity. An attacker could possibly use this issue to cause a denial of service. (CVE-2025-12084)
It was discovered that Python incorrectly parsed malicious plist files. An attacker could possibly use this issue to cause Python to use excessive resources, leading to a denial of service. This issue only affected python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. (CVE-2025-13837)
Omar Hasan discovered that Python incorrectly parsed URL mediatypes. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2025-15282)
Omar Hasan discovered that Python incorrectly parsed malicious IMAP inputs. An attacker could possibly use this issue to inject arbitrary IMAP commands. (CVE-2025-15366)
Omar Hasan discovered that Python incorrectly parsed malicious POP3 inputs. An attacker could possibly use this issue to inject arbitrary POP3 commands. (CVE-2025-15367)
Omar Hasan discovered that Python incorrectly parsed malicious HTTP cookie headers. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-0672)
Omar Hasan discovered that Python incorrectly parsed malicious HTTP header names and values. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-0865)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:14.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "idle-python3.4",
"binary_version": "3.4.3-1ubuntu1~14.04.7+esm20"
},
{
"binary_name": "libpython3.4",
"binary_version": "3.4.3-1ubuntu1~14.04.7+esm20"
},
{
"binary_name": "libpython3.4-minimal",
"binary_version": "3.4.3-1ubuntu1~14.04.7+esm20"
},
{
"binary_name": "libpython3.4-stdlib",
"binary_version": "3.4.3-1ubuntu1~14.04.7+esm20"
},
{
"binary_name": "libpython3.4-testsuite",
"binary_version": "3.4.3-1ubuntu1~14.04.7+esm20"
},
{
"binary_name": "python3.4",
"binary_version": "3.4.3-1ubuntu1~14.04.7+esm20"
},
{
"binary_name": "python3.4-examples",
"binary_version": "3.4.3-1ubuntu1~14.04.7+esm20"
},
{
"binary_name": "python3.4-minimal",
"binary_version": "3.4.3-1ubuntu1~14.04.7+esm20"
},
{
"binary_name": "python3.4-venv",
"binary_version": "3.4.3-1ubuntu1~14.04.7+esm20"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "python3.4",
"purl": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1~14.04.7+esm20?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.3-1ubuntu1~14.04.7+esm20"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.4~b1-0ubuntu3",
"3.4~b1-4ubuntu4",
"3.4~b1-4ubuntu6",
"3.4~b1-5ubuntu2",
"3.4~b2-1",
"3.4~b3-1ubuntu1",
"3.4~rc1-1build1",
"3.4~rc2-1",
"3.4~rc3-0ubuntu1",
"3.4.0-1",
"3.4.0-2ubuntu1",
"3.4.0-2ubuntu1.1",
"3.4.3-1ubuntu1~14.04.1",
"3.4.3-1ubuntu1~14.04.3",
"3.4.3-1ubuntu1~14.04.4",
"3.4.3-1ubuntu1~14.04.5",
"3.4.3-1ubuntu1~14.04.6",
"3.4.3-1ubuntu1~14.04.7",
"3.4.3-1ubuntu1~14.04.7+esm2",
"3.4.3-1ubuntu1~14.04.7+esm4",
"3.4.3-1ubuntu1~14.04.7+esm6",
"3.4.3-1ubuntu1~14.04.7+esm7",
"3.4.3-1ubuntu1~14.04.7+esm8",
"3.4.3-1ubuntu1~14.04.7+esm10",
"3.4.3-1ubuntu1~14.04.7+esm11",
"3.4.3-1ubuntu1~14.04.7+esm12",
"3.4.3-1ubuntu1~14.04.7+esm13",
"3.4.3-1ubuntu1~14.04.7+esm14",
"3.4.3-1ubuntu1~14.04.7+esm15",
"3.4.3-1ubuntu1~14.04.7+esm16",
"3.4.3-1ubuntu1~14.04.7+esm17",
"3.4.3-1ubuntu1~14.04.7+esm19"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:14.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "idle-python3.5",
"binary_version": "3.5.2-2ubuntu0~16.04.4~14.04.1+esm10"
},
{
"binary_name": "libpython3.5",
"binary_version": "3.5.2-2ubuntu0~16.04.4~14.04.1+esm10"
},
{
"binary_name": "libpython3.5-minimal",
"binary_version": "3.5.2-2ubuntu0~16.04.4~14.04.1+esm10"
},
{
"binary_name": "libpython3.5-stdlib",
"binary_version": "3.5.2-2ubuntu0~16.04.4~14.04.1+esm10"
},
{
"binary_name": "libpython3.5-testsuite",
"binary_version": "3.5.2-2ubuntu0~16.04.4~14.04.1+esm10"
},
{
"binary_name": "python3.5",
"binary_version": "3.5.2-2ubuntu0~16.04.4~14.04.1+esm10"
},
{
"binary_name": "python3.5-examples",
"binary_version": "3.5.2-2ubuntu0~16.04.4~14.04.1+esm10"
},
{
"binary_name": "python3.5-minimal",
"binary_version": "3.5.2-2ubuntu0~16.04.4~14.04.1+esm10"
},
{
"binary_name": "python3.5-venv",
"binary_version": "3.5.2-2ubuntu0~16.04.4~14.04.1+esm10"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "python3.5",
"purl": "pkg:deb/ubuntu/python3.5@3.5.2-2ubuntu0~16.04.4~14.04.1+esm10?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.2-2ubuntu0~16.04.4~14.04.1+esm10"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.5.2-2ubuntu0~16.04.4~14.04.1",
"3.5.2-2ubuntu0~16.04.4~14.04.1+esm1",
"3.5.2-2ubuntu0~16.04.4~14.04.1+esm3",
"3.5.2-2ubuntu0~16.04.4~14.04.1+esm4",
"3.5.2-2ubuntu0~16.04.4~14.04.1+esm5",
"3.5.2-2ubuntu0~16.04.4~14.04.1+esm6",
"3.5.2-2ubuntu0~16.04.4~14.04.1+esm7",
"3.5.2-2ubuntu0~16.04.4~14.04.1+esm8",
"3.5.2-2ubuntu0~16.04.4~14.04.1+esm9"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:16.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "idle-python3.5",
"binary_version": "3.5.2-2ubuntu0~16.04.13+esm22"
},
{
"binary_name": "libpython3.5",
"binary_version": "3.5.2-2ubuntu0~16.04.13+esm22"
},
{
"binary_name": "libpython3.5-minimal",
"binary_version": "3.5.2-2ubuntu0~16.04.13+esm22"
},
{
"binary_name": "libpython3.5-stdlib",
"binary_version": "3.5.2-2ubuntu0~16.04.13+esm22"
},
{
"binary_name": "libpython3.5-testsuite",
"binary_version": "3.5.2-2ubuntu0~16.04.13+esm22"
},
{
"binary_name": "python3.5",
"binary_version": "3.5.2-2ubuntu0~16.04.13+esm22"
},
{
"binary_name": "python3.5-examples",
"binary_version": "3.5.2-2ubuntu0~16.04.13+esm22"
},
{
"binary_name": "python3.5-minimal",
"binary_version": "3.5.2-2ubuntu0~16.04.13+esm22"
},
{
"binary_name": "python3.5-venv",
"binary_version": "3.5.2-2ubuntu0~16.04.13+esm22"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "python3.5",
"purl": "pkg:deb/ubuntu/python3.5@3.5.2-2ubuntu0~16.04.13+esm22?arch=source\u0026distro=esm-infra/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.2-2ubuntu0~16.04.13+esm22"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.5.0-3",
"3.5.0-3ubuntu1",
"3.5.1~rc1-2ubuntu1",
"3.5.1-1",
"3.5.1-2",
"3.5.1-3",
"3.5.1-5",
"3.5.1-6ubuntu1",
"3.5.1-6ubuntu2",
"3.5.1-9ubuntu1",
"3.5.1-10",
"3.5.2-2~16.01",
"3.5.2-2~16.04",
"3.5.2-2ubuntu0~16.04.1",
"3.5.2-2ubuntu0~16.04.2",
"3.5.2-2ubuntu0~16.04.3",
"3.5.2-2ubuntu0~16.04.4",
"3.5.2-2ubuntu0~16.04.5",
"3.5.2-2ubuntu0~16.04.8",
"3.5.2-2ubuntu0~16.04.9",
"3.5.2-2ubuntu0~16.04.10",
"3.5.2-2ubuntu0~16.04.11",
"3.5.2-2ubuntu0~16.04.12",
"3.5.2-2ubuntu0~16.04.13",
"3.5.2-2ubuntu0~16.04.13+esm1",
"3.5.2-2ubuntu0~16.04.13+esm2",
"3.5.2-2ubuntu0~16.04.13+esm3",
"3.5.2-2ubuntu0~16.04.13+esm5",
"3.5.2-2ubuntu0~16.04.13+esm6",
"3.5.2-2ubuntu0~16.04.13+esm7",
"3.5.2-2ubuntu0~16.04.13+esm8",
"3.5.2-2ubuntu0~16.04.13+esm9",
"3.5.2-2ubuntu0~16.04.13+esm10",
"3.5.2-2ubuntu0~16.04.13+esm11",
"3.5.2-2ubuntu0~16.04.13+esm12",
"3.5.2-2ubuntu0~16.04.13+esm13",
"3.5.2-2ubuntu0~16.04.13+esm14",
"3.5.2-2ubuntu0~16.04.13+esm15",
"3.5.2-2ubuntu0~16.04.13+esm16",
"3.5.2-2ubuntu0~16.04.13+esm17",
"3.5.2-2ubuntu0~16.04.13+esm18",
"3.5.2-2ubuntu0~16.04.13+esm19",
"3.5.2-2ubuntu0~16.04.13+esm20",
"3.5.2-2ubuntu0~16.04.13+esm21"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "idle-python3.6",
"binary_version": "3.6.9-1~18.04ubuntu1.13+esm9"
},
{
"binary_name": "libpython3.6",
"binary_version": "3.6.9-1~18.04ubuntu1.13+esm9"
},
{
"binary_name": "libpython3.6-minimal",
"binary_version": "3.6.9-1~18.04ubuntu1.13+esm9"
},
{
"binary_name": "libpython3.6-stdlib",
"binary_version": "3.6.9-1~18.04ubuntu1.13+esm9"
},
{
"binary_name": "libpython3.6-testsuite",
"binary_version": "3.6.9-1~18.04ubuntu1.13+esm9"
},
{
"binary_name": "python3.6",
"binary_version": "3.6.9-1~18.04ubuntu1.13+esm9"
},
{
"binary_name": "python3.6-examples",
"binary_version": "3.6.9-1~18.04ubuntu1.13+esm9"
},
{
"binary_name": "python3.6-minimal",
"binary_version": "3.6.9-1~18.04ubuntu1.13+esm9"
},
{
"binary_name": "python3.6-venv",
"binary_version": "3.6.9-1~18.04ubuntu1.13+esm9"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "python3.6",
"purl": "pkg:deb/ubuntu/python3.6@3.6.9-1~18.04ubuntu1.13+esm9?arch=source\u0026distro=esm-infra/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.9-1~18.04ubuntu1.13+esm9"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.6.3-1ubuntu1",
"3.6.4~rc1-1",
"3.6.4~rc1-2",
"3.6.4-1",
"3.6.4-2",
"3.6.4-3build1",
"3.6.4-4",
"3.6.5~rc1-1",
"3.6.5-3",
"3.6.6-1~18.04",
"3.6.7-1~18.04",
"3.6.8-1~18.04.1",
"3.6.8-1~18.04.2",
"3.6.8-1~18.04.3",
"3.6.9-1~18.04",
"3.6.9-1~18.04ubuntu1",
"3.6.9-1~18.04ubuntu1.1",
"3.6.9-1~18.04ubuntu1.3",
"3.6.9-1~18.04ubuntu1.4",
"3.6.9-1~18.04ubuntu1.6",
"3.6.9-1~18.04ubuntu1.7",
"3.6.9-1~18.04ubuntu1.8",
"3.6.9-1~18.04ubuntu1.9",
"3.6.9-1~18.04ubuntu1.10",
"3.6.9-1~18.04ubuntu1.12",
"3.6.9-1~18.04ubuntu1.13",
"3.6.9-1~18.04ubuntu1.13+esm1",
"3.6.9-1~18.04ubuntu1.13+esm2",
"3.6.9-1~18.04ubuntu1.13+esm3",
"3.6.9-1~18.04ubuntu1.13+esm4",
"3.6.9-1~18.04ubuntu1.13+esm5",
"3.6.9-1~18.04ubuntu1.13+esm6",
"3.6.9-1~18.04ubuntu1.13+esm7",
"3.6.9-1~18.04ubuntu1.13+esm8"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "idle-python3.7",
"binary_version": "3.7.5-2ubuntu1~18.04.2+esm10"
},
{
"binary_name": "libpython3.7",
"binary_version": "3.7.5-2ubuntu1~18.04.2+esm10"
},
{
"binary_name": "libpython3.7-minimal",
"binary_version": "3.7.5-2ubuntu1~18.04.2+esm10"
},
{
"binary_name": "libpython3.7-stdlib",
"binary_version": "3.7.5-2ubuntu1~18.04.2+esm10"
},
{
"binary_name": "libpython3.7-testsuite",
"binary_version": "3.7.5-2ubuntu1~18.04.2+esm10"
},
{
"binary_name": "python3.7",
"binary_version": "3.7.5-2ubuntu1~18.04.2+esm10"
},
{
"binary_name": "python3.7-examples",
"binary_version": "3.7.5-2ubuntu1~18.04.2+esm10"
},
{
"binary_name": "python3.7-minimal",
"binary_version": "3.7.5-2ubuntu1~18.04.2+esm10"
},
{
"binary_name": "python3.7-venv",
"binary_version": "3.7.5-2ubuntu1~18.04.2+esm10"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "python3.7",
"purl": "pkg:deb/ubuntu/python3.7@3.7.5-2ubuntu1~18.04.2+esm10?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.5-2ubuntu1~18.04.2+esm10"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.7.0~a2-1",
"3.7.0~a3-1",
"3.7.0~a3-2",
"3.7.0~a3-3",
"3.7.0~a4-1",
"3.7.0~b1-1",
"3.7.0~b1-1build1",
"3.7.0~b2-1",
"3.7.0~b3-1",
"3.7.0-1~18.04",
"3.7.1-1~18.04",
"3.7.3-2~18.04.1",
"3.7.5-2~18.04",
"3.7.5-2~18.04.4",
"3.7.5-2ubuntu1~18.04.2",
"3.7.5-2ubuntu1~18.04.2+esm1",
"3.7.5-2ubuntu1~18.04.2+esm2",
"3.7.5-2ubuntu1~18.04.2+esm3",
"3.7.5-2ubuntu1~18.04.2+esm4",
"3.7.5-2ubuntu1~18.04.2+esm5",
"3.7.5-2ubuntu1~18.04.2+esm6",
"3.7.5-2ubuntu1~18.04.2+esm7",
"3.7.5-2ubuntu1~18.04.2+esm8",
"3.7.5-2ubuntu1~18.04.2+esm9"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "idle-python3.8",
"binary_version": "3.8.0-3ubuntu1~18.04.2+esm10"
},
{
"binary_name": "libpython3.8",
"binary_version": "3.8.0-3ubuntu1~18.04.2+esm10"
},
{
"binary_name": "libpython3.8-minimal",
"binary_version": "3.8.0-3ubuntu1~18.04.2+esm10"
},
{
"binary_name": "libpython3.8-stdlib",
"binary_version": "3.8.0-3ubuntu1~18.04.2+esm10"
},
{
"binary_name": "libpython3.8-testsuite",
"binary_version": "3.8.0-3ubuntu1~18.04.2+esm10"
},
{
"binary_name": "python3.8",
"binary_version": "3.8.0-3ubuntu1~18.04.2+esm10"
},
{
"binary_name": "python3.8-examples",
"binary_version": "3.8.0-3ubuntu1~18.04.2+esm10"
},
{
"binary_name": "python3.8-minimal",
"binary_version": "3.8.0-3ubuntu1~18.04.2+esm10"
},
{
"binary_name": "python3.8-venv",
"binary_version": "3.8.0-3ubuntu1~18.04.2+esm10"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "python3.8",
"purl": "pkg:deb/ubuntu/python3.8@3.8.0-3ubuntu1~18.04.2+esm10?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.0-3ubuntu1~18.04.2+esm10"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.8.0-3~18.04",
"3.8.0-3~18.04.1",
"3.8.0-3ubuntu1~18.04.2",
"3.8.0-3ubuntu1~18.04.2+esm1",
"3.8.0-3ubuntu1~18.04.2+esm2",
"3.8.0-3ubuntu1~18.04.2+esm3",
"3.8.0-3ubuntu1~18.04.2+esm4",
"3.8.0-3ubuntu1~18.04.2+esm5",
"3.8.0-3ubuntu1~18.04.2+esm6",
"3.8.0-3ubuntu1~18.04.2+esm7",
"3.8.0-3ubuntu1~18.04.2+esm8",
"3.8.0-3ubuntu1~18.04.2+esm9"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "idle-python3.8",
"binary_version": "3.8.10-0ubuntu1~20.04.18+esm6"
},
{
"binary_name": "libpython3.8",
"binary_version": "3.8.10-0ubuntu1~20.04.18+esm6"
},
{
"binary_name": "libpython3.8-minimal",
"binary_version": "3.8.10-0ubuntu1~20.04.18+esm6"
},
{
"binary_name": "libpython3.8-stdlib",
"binary_version": "3.8.10-0ubuntu1~20.04.18+esm6"
},
{
"binary_name": "libpython3.8-testsuite",
"binary_version": "3.8.10-0ubuntu1~20.04.18+esm6"
},
{
"binary_name": "python3.8",
"binary_version": "3.8.10-0ubuntu1~20.04.18+esm6"
},
{
"binary_name": "python3.8-examples",
"binary_version": "3.8.10-0ubuntu1~20.04.18+esm6"
},
{
"binary_name": "python3.8-full",
"binary_version": "3.8.10-0ubuntu1~20.04.18+esm6"
},
{
"binary_name": "python3.8-minimal",
"binary_version": "3.8.10-0ubuntu1~20.04.18+esm6"
},
{
"binary_name": "python3.8-venv",
"binary_version": "3.8.10-0ubuntu1~20.04.18+esm6"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "python3.8",
"purl": "pkg:deb/ubuntu/python3.8@3.8.10-0ubuntu1~20.04.18+esm6?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.10-0ubuntu1~20.04.18+esm6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.8.0-1",
"3.8.0-2",
"3.8.0-3",
"3.8.0-4",
"3.8.0-5",
"3.8.1-2ubuntu3",
"3.8.2~rc1-1ubuntu1",
"3.8.2-1",
"3.8.2-1ubuntu1",
"3.8.2-1ubuntu1.1",
"3.8.2-1ubuntu1.2",
"3.8.5-1~20.04",
"3.8.5-1~20.04.2",
"3.8.5-1~20.04.3",
"3.8.10-0ubuntu1~20.04",
"3.8.10-0ubuntu1~20.04.1",
"3.8.10-0ubuntu1~20.04.2",
"3.8.10-0ubuntu1~20.04.4",
"3.8.10-0ubuntu1~20.04.5",
"3.8.10-0ubuntu1~20.04.6",
"3.8.10-0ubuntu1~20.04.7",
"3.8.10-0ubuntu1~20.04.8",
"3.8.10-0ubuntu1~20.04.9",
"3.8.10-0ubuntu1~20.04.10",
"3.8.10-0ubuntu1~20.04.11",
"3.8.10-0ubuntu1~20.04.12",
"3.8.10-0ubuntu1~20.04.13",
"3.8.10-0ubuntu1~20.04.14",
"3.8.10-0ubuntu1~20.04.15",
"3.8.10-0ubuntu1~20.04.16",
"3.8.10-0ubuntu1~20.04.17",
"3.8.10-0ubuntu1~20.04.18",
"3.8.10-0ubuntu1~20.04.18+esm1",
"3.8.10-0ubuntu1~20.04.18+esm2",
"3.8.10-0ubuntu1~20.04.18+esm3",
"3.8.10-0ubuntu1~20.04.18+esm4",
"3.8.10-0ubuntu1~20.04.18+esm5"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "idle-python3.9",
"binary_version": "3.9.5-3ubuntu0~20.04.1+esm10"
},
{
"binary_name": "libpython3.9",
"binary_version": "3.9.5-3ubuntu0~20.04.1+esm10"
},
{
"binary_name": "libpython3.9-minimal",
"binary_version": "3.9.5-3ubuntu0~20.04.1+esm10"
},
{
"binary_name": "libpython3.9-stdlib",
"binary_version": "3.9.5-3ubuntu0~20.04.1+esm10"
},
{
"binary_name": "libpython3.9-testsuite",
"binary_version": "3.9.5-3ubuntu0~20.04.1+esm10"
},
{
"binary_name": "python3.9",
"binary_version": "3.9.5-3ubuntu0~20.04.1+esm10"
},
{
"binary_name": "python3.9-examples",
"binary_version": "3.9.5-3ubuntu0~20.04.1+esm10"
},
{
"binary_name": "python3.9-full",
"binary_version": "3.9.5-3ubuntu0~20.04.1+esm10"
},
{
"binary_name": "python3.9-minimal",
"binary_version": "3.9.5-3ubuntu0~20.04.1+esm10"
},
{
"binary_name": "python3.9-venv",
"binary_version": "3.9.5-3ubuntu0~20.04.1+esm10"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "python3.9",
"purl": "pkg:deb/ubuntu/python3.9@3.9.5-3ubuntu0~20.04.1+esm10?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.5-3ubuntu0~20.04.1+esm10"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.9.0~rc1-1~20.04",
"3.9.0-5~20.04",
"3.9.5-3~20.04.1",
"3.9.5-3ubuntu0~20.04.1",
"3.9.5-3ubuntu0~20.04.1+esm1",
"3.9.5-3ubuntu0~20.04.1+esm2",
"3.9.5-3ubuntu0~20.04.1+esm3",
"3.9.5-3ubuntu0~20.04.1+esm4",
"3.9.5-3ubuntu0~20.04.1+esm5",
"3.9.5-3ubuntu0~20.04.1+esm6",
"3.9.5-3ubuntu0~20.04.1+esm7",
"3.9.5-3ubuntu0~20.04.1+esm8",
"3.9.5-3ubuntu0~20.04.1+esm9"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.10",
"binary_version": "3.10.12-1~22.04.15"
},
{
"binary_name": "libpython3.10",
"binary_version": "3.10.12-1~22.04.15"
},
{
"binary_name": "libpython3.10-minimal",
"binary_version": "3.10.12-1~22.04.15"
},
{
"binary_name": "libpython3.10-stdlib",
"binary_version": "3.10.12-1~22.04.15"
},
{
"binary_name": "libpython3.10-testsuite",
"binary_version": "3.10.12-1~22.04.15"
},
{
"binary_name": "python3.10",
"binary_version": "3.10.12-1~22.04.15"
},
{
"binary_name": "python3.10-examples",
"binary_version": "3.10.12-1~22.04.15"
},
{
"binary_name": "python3.10-full",
"binary_version": "3.10.12-1~22.04.15"
},
{
"binary_name": "python3.10-minimal",
"binary_version": "3.10.12-1~22.04.15"
},
{
"binary_name": "python3.10-nopie",
"binary_version": "3.10.12-1~22.04.15"
},
{
"binary_name": "python3.10-venv",
"binary_version": "3.10.12-1~22.04.15"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "python3.10",
"purl": "pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.15?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.10.12-1~22.04.15"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.10.0-2",
"3.10.0-3",
"3.10.0-4",
"3.10.0-5",
"3.10.0-5build1",
"3.10.1-1",
"3.10.1-2",
"3.10.2-1",
"3.10.2-5",
"3.10.2-7",
"3.10.3-1",
"3.10.4-3",
"3.10.4-3ubuntu0.1",
"3.10.6-1~22.04",
"3.10.6-1~22.04.1",
"3.10.6-1~22.04.2",
"3.10.6-1~22.04.2ubuntu1",
"3.10.6-1~22.04.2ubuntu1.1",
"3.10.12-1~22.04.2",
"3.10.12-1~22.04.3",
"3.10.12-1~22.04.4",
"3.10.12-1~22.04.5",
"3.10.12-1~22.04.6",
"3.10.12-1~22.04.7",
"3.10.12-1~22.04.8",
"3.10.12-1~22.04.9",
"3.10.12-1~22.04.10",
"3.10.12-1~22.04.11",
"3.10.12-1~22.04.12",
"3.10.12-1~22.04.13",
"3.10.12-1~22.04.14"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "idle-python3.11",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
},
{
"binary_name": "libpython3.11",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
},
{
"binary_name": "libpython3.11-minimal",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
},
{
"binary_name": "libpython3.11-stdlib",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
},
{
"binary_name": "libpython3.11-testsuite",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
},
{
"binary_name": "python3.11",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
},
{
"binary_name": "python3.11-examples",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
},
{
"binary_name": "python3.11-full",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
},
{
"binary_name": "python3.11-minimal",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
},
{
"binary_name": "python3.11-nopie",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
},
{
"binary_name": "python3.11-venv",
"binary_version": "3.11.0~rc1-1~22.04.1~esm9"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "python3.11",
"purl": "pkg:deb/ubuntu/python3.11@3.11.0~rc1-1~22.04.1~esm9?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11.0~rc1-1~22.04.1~esm9"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.11.0~rc1-1~22.04",
"3.11.0~rc1-1~22.04.1~esm1",
"3.11.0~rc1-1~22.04.1~esm2",
"3.11.0~rc1-1~22.04.1~esm3",
"3.11.0~rc1-1~22.04.1~esm4",
"3.11.0~rc1-1~22.04.1~esm5",
"3.11.0~rc1-1~22.04.1~esm6",
"3.11.0~rc1-1~22.04.1~esm7",
"3.11.0~rc1-1~22.04.1~esm8"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:24.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.12",
"binary_version": "3.12.3-1ubuntu0.12"
},
{
"binary_name": "libpython3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.12"
},
{
"binary_name": "libpython3.12-stdlib",
"binary_version": "3.12.3-1ubuntu0.12"
},
{
"binary_name": "libpython3.12-testsuite",
"binary_version": "3.12.3-1ubuntu0.12"
},
{
"binary_name": "libpython3.12t64",
"binary_version": "3.12.3-1ubuntu0.12"
},
{
"binary_name": "python3.12",
"binary_version": "3.12.3-1ubuntu0.12"
},
{
"binary_name": "python3.12-examples",
"binary_version": "3.12.3-1ubuntu0.12"
},
{
"binary_name": "python3.12-full",
"binary_version": "3.12.3-1ubuntu0.12"
},
{
"binary_name": "python3.12-minimal",
"binary_version": "3.12.3-1ubuntu0.12"
},
{
"binary_name": "python3.12-nopie",
"binary_version": "3.12.3-1ubuntu0.12"
},
{
"binary_name": "python3.12-venv",
"binary_version": "3.12.3-1ubuntu0.12"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "python3.12",
"purl": "pkg:deb/ubuntu/python3.12@3.12.3-1ubuntu0.12?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.3-1ubuntu0.12"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.12.0-1",
"3.12.0-5",
"3.12.0-6",
"3.12.0-7",
"3.12.1-2",
"3.12.2-1",
"3.12.2-4build3",
"3.12.2-4build4",
"3.12.2-5ubuntu3",
"3.12.3-1",
"3.12.3-1ubuntu0.1",
"3.12.3-1ubuntu0.2",
"3.12.3-1ubuntu0.3",
"3.12.3-1ubuntu0.4",
"3.12.3-1ubuntu0.5",
"3.12.3-1ubuntu0.6",
"3.12.3-1ubuntu0.7",
"3.12.3-1ubuntu0.8",
"3.12.3-1ubuntu0.9",
"3.12.3-1ubuntu0.10",
"3.12.3-1ubuntu0.11"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:25.10"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.13",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "libpython3.13",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "libpython3.13-minimal",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "libpython3.13-stdlib",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "libpython3.13-testsuite",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "python3.13",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "python3.13-examples",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "python3.13-full",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "python3.13-gdbm",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "python3.13-minimal",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "python3.13-nopie",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "python3.13-tk",
"binary_version": "3.13.7-1ubuntu0.4"
},
{
"binary_name": "python3.13-venv",
"binary_version": "3.13.7-1ubuntu0.4"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "python3.13",
"purl": "pkg:deb/ubuntu/python3.13@3.13.7-1ubuntu0.4?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.13.7-1ubuntu0.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.13.3-1",
"3.13.3-2",
"3.13.3-4",
"3.13.4-1",
"3.13.5-1",
"3.13.5-2",
"3.13.6-1",
"3.13.7-1",
"3.13.7-1ubuntu0.1",
"3.13.7-1ubuntu0.2",
"3.13.7-1ubuntu0.3"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-15366",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-15367",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-0865",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:25.10"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "idle-python3.14",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "libpython3.14",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "libpython3.14-minimal",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "libpython3.14-stdlib",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "libpython3.14-testsuite",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "python3.14",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "python3.14-examples",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "python3.14-full",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "python3.14-gdbm",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "python3.14-minimal",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "python3.14-nopie",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "python3.14-tk",
"binary_version": "3.14.0-1ubuntu0.3"
},
{
"binary_name": "python3.14-venv",
"binary_version": "3.14.0-1ubuntu0.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "python3.14",
"purl": "pkg:deb/ubuntu/python3.14@3.14.0-1ubuntu0.3?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0-1ubuntu0.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.14.0~a7-0ubuntu1",
"3.14.0~b1-1",
"3.14.0~b3-1",
"3.14.0~rc1-1",
"3.14.0~rc2-1",
"3.14.0~rc3-1",
"3.14.0-1",
"3.14.0-1ubuntu0.1",
"3.14.0-1ubuntu0.2"
]
}
],
"aliases": [],
"details": "USN-8018-1 fixed vulnerabilities in python3. That update introduced\nregressions. The patches for CVE-2025-15366 and CVE-2025-15367 caused\nbehavior regressions in IMAP and POP3 handling, which upstream chose to\navoid by not backporting them. Additionally, the patch for CVE-2026-0865\nincorrectly rejected horizontal tabs in wsgiref headers. This update fixes\nthese problems.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\n Denis Ledoux discovered that Python incorrectly parsed email message\n headers. An attacker could possibly use this issue to inject arbitrary\n headers into email messages. This issue only affected python3.6,\n python3.7, python3.8, python3.9, python3.10, python3.11, python3.12,\n python3.13, and python3.14 packages. (CVE-2025-11468)\n\n Jacob Walls, Shai Berger, and Natalia Bidart discovered that Python\n inefficiently parsed XML input with quadratic complexity. An attacker\n could possibly use this issue to cause a denial of service.\n (CVE-2025-12084)\n\n It was discovered that Python incorrectly parsed malicious plist files. An\n attacker could possibly use this issue to cause Python to use excessive\n resources, leading to a denial of service. This issue only affected\n python3.5, python3.6, python3.7, python3.8, python3.9, python3.10,\n python3.11, python3.12, python3.13, and python3.14 packages.\n (CVE-2025-13837)\n\n Omar Hasan discovered that Python incorrectly parsed URL mediatypes. An\n attacker could possibly use this issue to inject arbitrary HTTP headers.\n (CVE-2025-15282)\n\n Omar Hasan discovered that Python incorrectly parsed malicious IMAP\n inputs. An attacker could possibly use this issue to inject arbitrary\n IMAP commands. (CVE-2025-15366)\n\n Omar Hasan discovered that Python incorrectly parsed malicious POP3\n inputs. An attacker could possibly use this issue to inject arbitrary\n POP3 commands. (CVE-2025-15367)\n\n Omar Hasan discovered that Python incorrectly parsed malicious HTTP cookie\n headers. An attacker could possibly use this issue to inject arbitrary\n HTTP headers. (CVE-2026-0672)\n\n Omar Hasan discovered that Python incorrectly parsed malicious HTTP header\n names and values. An attacker could possibly use this issue to inject\n arbitrary HTTP headers. (CVE-2026-0865)",
"id": "USN-8018-2",
"modified": "2026-06-25T10:47:03Z",
"published": "2026-03-09T09:24:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8018-2"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-15366"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-15367"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-0865"
},
{
"type": "REPORT",
"url": "https://bugs.launchpad.net/bugs/2143706"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "python3.4, python3.5, python3.6, python3.7, python3.8, python3.9,\npython3.10, python3.11, python3.12, python3.13, python3.14 regression",
"upstream": [
"UBUNTU-CVE-2025-15366",
"UBUNTU-CVE-2025-15367",
"UBUNTU-CVE-2026-0865"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.