CVE-2025-15367
POP3 command injection in user-controlled commandsThe poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
We have discovered 470 live websites that are affected by CVE-2025-15367.
Affected Software
| Product |  CPython |
| Category | Programming Languages |
| Vulnerable Domains | 470 live websites (100% of CPython install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 72 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')Details
- Published - Jan 20, 2026
- Updated - Feb 26, 2026
Credits
- Omar M. Hasan (reporter)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-15367 United States | 150 websites |
 Germany | 59 websites |
 Singapore | 28 websites |
 India | 22 websites |
 France | 19 websites |
 Russia | 15 websites |
 China | 13 websites |
 Brazil | 11 websites |
 GB | 11 websites |
 Australia | 10 websites |
Website Distribution by TLD
Number of websites using CVE-2025-15367| .com | 160 websites |
| .org | 47 websites |
| .dk | 26 websites |
| .de | 20 websites |
| .net | 19 websites |
| .nl | 9 websites |
| .edu | 8 websites |
| .ru | 8 websites |
| .fr | 7 websites |
| .ch | 7 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-15367
Top websites that are affected by CVE-2025-15367. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | **,*** | |
| *********.com |  Netherlands | ***,*** | |
| *******.***.org | Germany | ***,*** | |
| *****.org | Germany | ***,*** | |
| ***********.org | Australia | ***,*** | |
| ****.***********.***.au | Australia | ***,*** | |
| *******.org | Australia | ***,*** | |
| *****.*****.de | Germany | ***,*** | |
| ********.***.***.gr |  Greece | ***,*** | |
| ***.********.it |  Italy | ***,*** |
FAQ
CVE-2025-15367 is Improper Neutralization of Special Elements used in a Command ('Command Injection') in CPython
A total of 470 websites have been identified as vulnerable to CVE-2025-15367, based on global website indexing conducted by WebTechSurvey.
The CPython is affected by the CVE-2025-15367 vulnerability.
CPython versions up to 3.15 are vulnerable to CVE-2025-15367.
CVE-2025-15367 is resolved in version 3.15 of CPython.