CPython Flaws Expose Proxy Header Injection and Remote Debug Memory Corruption
CPython disclosed two medium-severity vulnerabilities affecting distinct parts of the runtime and tooling. CVE-2026-1502 allows CR/LF bytes to pass through HTTP client proxy tunnel header or host handling, creating a header-injection risk in proxy tunnel scenarios. The issue was published through Python security channels and the oss-sec mailing list, with remediation details tracked in the CVE record and an associated CPython pull request.
A second flaw, CVE-2026-5713, affects CPython remote debugging and introspection features and can trigger out-of-bounds read and write behavior when a privileged Python process connects to a malicious or compromised Python target. The bug impacts newer capabilities including profiling.sampling in Python 3.15+ and asyncio inspection commands such as ```
python -m asyncio ps
python -m asyncio pstree
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CPython remote debugging memory corruption flaw disclosed as CVE-2026-5713
A medium-severity CPython vulnerability, CVE-2026-5713, was publicly disclosed affecting remote debugging-related functionality, where connecting from a privileged Python process to a malicious target could trigger out-of-bounds read and write access. The issue was reported as affecting newer features in Python 3.14+ and 3.15+, including asyncio introspection tools and profiling.sampling, with public references to the CVE record and a CPython GitHub pull request.
CPython CR/LF proxy tunnel header flaw disclosed as CVE-2026-1502
A medium-severity CPython vulnerability, CVE-2026-1502, was publicly disclosed involving improper validation of CR/LF bytes in HTTP client proxy tunnel headers or host values, creating a header-injection-style risk in proxy tunnel handling. The disclosure referenced the CVE record and an associated CPython pull request for affected versions and remediation details.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
oss-sec: [oss-security][CVE-2026-5713] CPython: Out-of-bounds read/write during remote debugging when connecting to malicious target
seclists.org
Open sourceoss-sec: CPython [CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Python Packaging and CPython Flaws Enable Privilege Escalation and Security Bypass
dCERT issued advisories for two Python-related vulnerabilities affecting **Red Hat Enterprise Linux** and **CPython**. One advisory warns that a flaw in `python-wheel` on Red Hat Enterprise Linux can allow **privilege escalation** and **arbitrary code execution**, creating a path for attackers to gain elevated access and run malicious code on affected systems. A second dCERT advisory reports a **CPython** vulnerability that can **bypass security measures**, indicating that protections relying on expected interpreter behavior may be undermined on vulnerable deployments. Together, the advisories highlight risk across both the Python runtime and packaging ecosystem, with potential impact ranging from weakened defensive controls to full code execution on enterprise Linux environments.
May 15, 2026
Mesop Flaws Enable Unauthenticated RCE and Path Traversal
Two high-severity vulnerabilities in the Python web UI framework **Mesop** exposed applications to unauthenticated compromise in version `1.2.2` and earlier. The most critical issue, tracked as `CVE-2026-33057`, allowed remote code execution through an exposed `/exec-py` route in Mesop's AI testing infrastructure, where a debugging Flask server accepted base64-encoded Python code and executed it without authentication. The flaw was assigned `CWE-94` and a `CVSS 3.1` score vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. A second flaw, `CVE-2026-33054`, let attackers exploit path traversal via an untrusted `state_token` processed by `FileStateSessionBackend`, enabling file write or deletion outside intended application boundaries and potentially causing denial-of-service crash loops. That issue was classified as `CWE-22` with a `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`. Mesop addressed both vulnerabilities in version `1.2.3`, and GitHub published security advisories and patch references for the fixes.
Mar 20, 2026
Python fixes code execution and package confusion flaws in install manager and pip
Python disclosed **CVE-2026-5271**, a medium-severity flaw in the Python install manager that affects script alias entrypoints generated by version `26.0`. The bug could leave the search path empty, allowing a Python module in the current working directory to override the intended module and execute code as the user. Python said the issue is fixed in version `26.1`, noted that versions prior to `26.0` are not affected, and advised users to update and regenerate vulnerable aliases with: ```bash py install --refresh ``` A separate medium-severity issue, **CVE-2026-3219**, was disclosed in `pip` for its handling of concatenated TAR and ZIP archives. `pip` treated concatenated TAR/ZIP files as ZIP archives regardless of filename or whether the file could be interpreted as both formats, creating confusing installation results and potentially installing files that did not match the expected archive type. The fix changes `pip` so installation proceeds only when an archive is uniquely identified as either ZIP or TAR, reducing the risk of ambiguous package handling in Python software distribution workflows.
Apr 20, 2026