Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (python version) |
Remediation Possible** |
| CVE-2026-11972 |
 High |
7.5 |
python-3.10.9-he550d4f_0_cpython.conda |
Direct |
N/A |
❌ |
| CVE-2026-12003 |
 Medium |
6.6 |
python-3.10.9-he550d4f_0_cpython.conda |
Direct |
python - 3.13.14,python - 3.14.6,https://github.com/python/cpython.git - v3.12.11,https://github.com/python/cpython.git - v3.13.4,https://github.com/python/cpython.git - v3.7.13,https://github.com/python/cpython.git - v3.9.23,https://github.com/python/cpython.git - v3.14.6,https://github.com/python/cpython.git - v3.8.19,https://github.com/python/cpython.git - v3.10.18,https://github.com/python/cpython.git - v3.11.13 |
❌ |
| CVE-2026-9669 |
Medium |
5.9 |
python-3.10.9-he550d4f_0_cpython.conda |
Direct |
python - 3.14.6,python - 3.13.14,https://github.com/python/cpython.git - v3.13.14,https://github.com/python/cpython.git - v3.14.6 |
❌ |
| CVE-2026-1502 |
Medium |
4.5 |
python-3.10.9-he550d4f_0_cpython.conda |
Direct |
N/A |
❌ |
| CVE-2026-0864 |
Medium |
4.2 |
python-3.10.9-he550d4f_0_cpython.conda |
Direct |
N/A |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-11972
Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Dependency Hierarchy:
- ❌ python-3.10.9-he550d4f_0_cpython.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
Publish Date: 2026-06-23
URL: CVE-2026-11972
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2026-12003
Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Dependency Hierarchy:
- ❌ python-3.10.9-he550d4f_0_cpython.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
To allow builds of Python to be run from an in-tree layout (rather than
an installed file layout), the VPATH variable is defined at build time
and used to locate certain landmarks - specifically,
Modules/setup.local. When this landmark is found relative to VPATH
relative to the executable, Python assumes it is running in a source
tree and generates a different default sys.path. This code remains in
release builds, so that release-ready builds can be built in-tree.
On Windows, since builds are written to 'PCbuild/', the value of
VPATH is set to '....', which results in a landmark of
'....\Modules\setup.local'. This path is outside the install directory
of Python, and may have different permissions, potentially allowing a
low-privilege user to create the landmark and an alternative "Lib"
folder that will be discovered by an otherwise restricted install.
Such a setup occurs with the legacy default install location for all
users (in the now superseded EXE installer), due to how Windows allows
all users to create folders in the root directory of their OS drive.
Our recommended mitigation on Windows is to migrate away from the
legacy installer and use the new "Python install
manager" (https://www.python.org/downloads/latest/pymanager/) to install
for the current user. Installs where the directory two levels above the
Python installation directory have equivalent permissions are unaffected
(in general, a per-user install cannot be modified at all by other
users, removing any escalation of privilege risk, and could be directly
modified by a privileged user, making the potential tampering
irrelevant). Alternative mitigations might include preemptively creating
and restricting access to a "Modules" directory. Be aware that only 3.13
and 3.14 will receive updated legacy installers - earlier fixes are only
provided as sources.
Platforms other than Windows allow VPATH to be overridden, but as they
don't usually use a separated directory in the build for binaries, are
unlikely to have a landmark reference outside of the install directory.
The landmark detection involving VPATH is a fallback for when a more
specific landmark - .\pybuilddir.txt - is absent, and was included for
compatibility. Future releases of Python will no longer include the
fallback, and so builds will need to generate or preserve the
pybuilddir.txt file in order to work in-tree. This landmark file has
been generated on Windows since 3.11, and on other platforms for longer.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-06-16
URL: CVE-2026-12003
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-16
Fix Resolution: python - 3.13.14,python - 3.14.6,https://github.com/python/cpython.git - v3.12.11,https://github.com/python/cpython.git - v3.13.4,https://github.com/python/cpython.git - v3.7.13,https://github.com/python/cpython.git - v3.9.23,https://github.com/python/cpython.git - v3.14.6,https://github.com/python/cpython.git - v3.8.19,https://github.com/python/cpython.git - v3.10.18,https://github.com/python/cpython.git - v3.11.13
Step up your Open Source Security Game with Mend here
CVE-2026-9669
Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Dependency Hierarchy:
- ❌ python-3.10.9-he550d4f_0_cpython.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
Publish Date: 2026-06-08
URL: CVE-2026-9669
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-08
Fix Resolution: python - 3.14.6,python - 3.13.14,https://github.com/python/cpython.git - v3.13.14,https://github.com/python/cpython.git - v3.14.6
Step up your Open Source Security Game with Mend here
CVE-2026-1502
Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Dependency Hierarchy:
- ❌ python-3.10.9-he550d4f_0_cpython.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
Publish Date: 2026-04-10
URL: CVE-2026-1502
CVSS 3 Score Details (4.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2026-0864
Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Dependency Hierarchy:
- ❌ python-3.10.9-he550d4f_0_cpython.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
When using the "configparser" module to write configuration files
containing multi-line text values with carriage return characters (\r) the
resulting file could be injected with unexpected keys and values if the
attacker controls the written value.
Publish Date: 2026-06-23
URL: CVE-2026-0864
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
Publish Date: 2026-06-23
URL: CVE-2026-11972
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
To allow builds of Python to be run from an in-tree layout (rather than
an installed file layout), the VPATH variable is defined at build time
and used to locate certain landmarks - specifically,
Modules/setup.local. When this landmark is found relative to VPATH
relative to the executable, Python assumes it is running in a source
tree and generates a different default sys.path. This code remains in
release builds, so that release-ready builds can be built in-tree.
On Windows, since builds are written to 'PCbuild/', the value of
VPATH is set to '....', which results in a landmark of
'....\Modules\setup.local'. This path is outside the install directory
of Python, and may have different permissions, potentially allowing a
low-privilege user to create the landmark and an alternative "Lib"
folder that will be discovered by an otherwise restricted install.
Such a setup occurs with the legacy default install location for all
users (in the now superseded EXE installer), due to how Windows allows
all users to create folders in the root directory of their OS drive.
Our recommended mitigation on Windows is to migrate away from the
legacy installer and use the new "Python install
manager" (https://www.python.org/downloads/latest/pymanager/) to install
for the current user. Installs where the directory two levels above the
Python installation directory have equivalent permissions are unaffected
(in general, a per-user install cannot be modified at all by other
users, removing any escalation of privilege risk, and could be directly
modified by a privileged user, making the potential tampering
irrelevant). Alternative mitigations might include preemptively creating
and restricting access to a "Modules" directory. Be aware that only 3.13
and 3.14 will receive updated legacy installers - earlier fixes are only
provided as sources.
Platforms other than Windows allow VPATH to be overridden, but as they
don't usually use a separated directory in the build for binaries, are
unlikely to have a landmark reference outside of the install directory.
The landmark detection involving VPATH is a fallback for when a more
specific landmark - .\pybuilddir.txt - is absent, and was included for
compatibility. Future releases of Python will no longer include the
fallback, and so builds will need to generate or preserve the
pybuilddir.txt file in order to work in-tree. This landmark file has
been generated on Windows since 3.11, and on other platforms for longer.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-06-16
URL: CVE-2026-12003
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-16
Fix Resolution: python - 3.13.14,python - 3.14.6,https://github.com/python/cpython.git - v3.12.11,https://github.com/python/cpython.git - v3.13.4,https://github.com/python/cpython.git - v3.7.13,https://github.com/python/cpython.git - v3.9.23,https://github.com/python/cpython.git - v3.14.6,https://github.com/python/cpython.git - v3.8.19,https://github.com/python/cpython.git - v3.10.18,https://github.com/python/cpython.git - v3.11.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
Publish Date: 2026-06-08
URL: CVE-2026-9669
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-08
Fix Resolution: python - 3.14.6,python - 3.13.14,https://github.com/python/cpython.git - v3.13.14,https://github.com/python/cpython.git - v3.14.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
Publish Date: 2026-04-10
URL: CVE-2026-1502
CVSS 3 Score Details (4.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - python-3.10.9-he550d4f_0_cpython.conda
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.10.9/linux-64/python-3.10.9-he550d4f_0_cpython.conda
Path to dependency file: /pipelines/deploy/Spark-Single-Node-Notebook-AWS/environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.10.9-he550d4f_0_cpython.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
When using the "configparser" module to write configuration files
containing multi-line text values with carriage return characters (\r) the
resulting file could be injected with unexpected keys and values if the
attacker controls the written value.
Publish Date: 2026-06-23
URL: CVE-2026-0864
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here