Back to search

Python

Python

See the latest tracked release, confirm when it was published, and subscribe for update emails.

3.14 Current train Default Switch to this train 3.13 Switch to this train 3.12 Switch to this train 3.11 Switch to this train 3.10 Switch to this train
Current version
Last checked: 2026-06-03

3.14.5

Release date
May 10, 2026
Security status
Current version appears affected by 1 high-severity CVE.

Source

endoflife.date

Public release notes are linked for the latest stored release.

View release notes Subscribe to updates

Release history

See the latest published releases stored for this product.

Version Published Notes
3.14.5 2026-05-10 Release Notes
3.14.4 2026-04-07 Release Notes
3.14.3 2026-02-03 Release Notes

Vulnerability tracking

versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.

Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.

CVE Severity Published Status Summary
CVE-2026-7210 CRITICAL (9.8) 2026-05-11 Current versionaffected

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

Affected versions
  • Up to (excluding) 3.15.0
CVE-2026-3087 HIGH (7.5) 2026-04-27 Current versionnot affected

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

Affected versions
  • Up to (including) 3.14.4
CVE-2026-4519 HIGH (7.0) 2026-03-20 Current versionnot affected

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Affected versions
  • Up to (excluding) 3.13.13
  • From (including) 3.14.0 - Up to (excluding) 3.14.4
versionPing is an unofficial free service that tracks software releases and notifies you when CVEs and updates are available. Built by an engineer for engineers.ImprintPrivacy Notice