Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Python 3 Update Fixes Critical Security Risks
SUSE-SU-2026:1385-1
Summary
This update for Python 3 fixes five security risks that could allow attackers to manipulate or inject malicious code. The risks include improper parsing of file archives, resource argument validation issues, incomplete validation of certain characters, stack overflows when parsing XML, and web browser command line option injection. Update your Python 3 software to ensure you have the latest security patches and protect your system from potential attacks.
What to do
- Update python3 to version 3.4.10-25.180.1.
- Update python3-base to version 3.4.10-25.180.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| SUSE:Linux Enterprise Server 12 SP5-LTSS | – | python3 |
< 3.4.10-25.180.1 Fix: upgrade to 3.4.10-25.180.1
|
| SUSE:Linux Enterprise Server 12 SP5-LTSS | – | python3-base |
< 3.4.10-25.180.1 Fix: upgrade to 3.4.10-25.180.1
|
| SUSE:Linux Enterprise Server LTSS Extended Security 12 SP5 | – | python3 |
< 3.4.10-25.180.1 Fix: upgrade to 3.4.10-25.180.1
|
| SUSE:Linux Enterprise Server LTSS Extended Security 12 SP5 | – | python3-base |
< 3.4.10-25.180.1 Fix: upgrade to 3.4.10-25.180.1
|
Original title
Security update for python3
Original description
This update for python3 fixes the following issues:
- CVE-2025-13462: incorrect parsing of TarInfo header when GNU long name and type AREGTYPE are combined (bsc#1259611).
- CVE-2026-3479: improper resource argument validation can allow path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies (bsc#1259734).
- CVE-2026-4224: C stack overflow when parsing XML with deeply nested DTD content models (bsc#1259735).
- CVE-2026-4519: leading dashes in URLs are accepted by the `webbrowser.open()` API and allow for web browser command
line option injection (bsc#1260026).
- CVE-2025-13462: incorrect parsing of TarInfo header when GNU long name and type AREGTYPE are combined (bsc#1259611).
- CVE-2026-3479: improper resource argument validation can allow path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies (bsc#1259734).
- CVE-2026-4224: C stack overflow when parsing XML with deeply nested DTD content models (bsc#1259735).
- CVE-2026-4519: leading dashes in URLs are accepted by the `webbrowser.open()` API and allow for web browser command
line option injection (bsc#1260026).
- https://www.suse.com/support/update/announcement/2026/suse-su-20261385-1/ Vendor Advisory
- https://bugzilla.suse.com/1259611 Third Party Advisory
- https://bugzilla.suse.com/1259734 Third Party Advisory
- https://bugzilla.suse.com/1259735 Third Party Advisory
- https://bugzilla.suse.com/1259989 Third Party Advisory
- https://bugzilla.suse.com/1260026 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2025-13462 URL
- https://www.suse.com/security/cve/CVE-2026-3479 URL
- https://www.suse.com/security/cve/CVE-2026-3644 URL
- https://www.suse.com/security/cve/CVE-2026-4224 URL
- https://www.suse.com/security/cve/CVE-2026-4519 URL
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026