CVE-2014-4650

unknown

Published — · Modified —

CVSS v3

—

CVSS v2

—

VIR risk

1.0

Description

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-4650

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2014-4650.html

Exploits

Exploit-DB

EDB-33894 · webapps · multiple

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	bullseye	fixed	`2.7.8-1`

References

https://www.suse.com/security/cve/CVE-2014-4650.html
https://security-tracker.debian.org/tracker/CVE-2014-4650

Verify integrity in audit chain (admin only). AS-IS.