SB2026021706 - Improper input validation in Python
Published: February 17, 2026
Security Bulletin ID
SB2026021706
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Type conversion (CVE-ID: CVE-2025-12781)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a type conversion issue in b64decode(), standard_b64decode(), and urlsafe_b64decode() functions when parsing strings with "+" or "/" character. A remote attacker send specially crafted data to the application that can bypass implemented security restrictions.
Remediation
Install update from vendor's website.
References
- https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b
- https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947
- https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5
- https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76
- https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5
- https://github.com/python/cpython/issues/125346
- https://github.com/python/cpython/pull/141128
- https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/