Python
Python
See the latest tracked release, confirm when it was published, and subscribe for update emails.
3.10.20
- Release date
- March 03, 2026
- Security status
- Current version appears affected by 3 high-severity CVEs.
Source
Public release notes are linked for the latest stored release.
Release history
See the latest published releases stored for this product.
| Version | Published | Notes |
|---|---|---|
| 3.10.20 | 2026-03-03 | Release Notes |
Vulnerability tracking
versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.
Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.
| CVE | Severity | Published | Status | Summary |
|---|---|---|---|---|
| CVE-2026-7210 | CRITICAL (9.8) | 2026-05-11 | Current versionaffected | `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. Affected versions
|
| CVE-2026-3087 | HIGH (7.5) | 2026-04-27 | Current versionaffected | If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability. Affected versions
|
| CVE-2026-4519 | HIGH (7.0) | 2026-03-20 | Current versionaffected | The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). Affected versions
|