CVE-2026-2297
SourcelessFileLoader does not use io.open_code()The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
We have discovered 470 live websites that are affected by CVE-2026-2297.
Affected Software
| Product |  CPython |
| Category | Programming Languages |
| Vulnerable Domains | 470 live websites (100% of CPython install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 72 versions ( 100% of all versions) |
Details
- Published - Mar 4, 2026
- Updated - Apr 7, 2026
CVE References
Website Distribution by Country
Number of websites using CVE-2026-2297 United States | 150 websites |
 Germany | 59 websites |
 Singapore | 28 websites |
 India | 22 websites |
 France | 19 websites |
 Russia | 15 websites |
 China | 13 websites |
 Brazil | 11 websites |
 GB | 11 websites |
 Australia | 10 websites |
Website Distribution by TLD
Number of websites using CVE-2026-2297| .com | 160 websites |
| .org | 47 websites |
| .dk | 26 websites |
| .de | 20 websites |
| .net | 19 websites |
| .nl | 9 websites |
| .edu | 8 websites |
| .ru | 8 websites |
| .fr | 7 websites |
| .ch | 7 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-2297
Top websites that are affected by CVE-2026-2297. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | **,*** | |
| *********.com |  Netherlands | ***,*** | |
| *******.***.org | Germany | ***,*** | |
| *****.org | Germany | ***,*** | |
| ***********.org | Australia | ***,*** | |
| ****.***********.***.au | Australia | ***,*** | |
| *******.org | Australia | ***,*** | |
| *****.*****.de | Germany | ***,*** | |
| ********.***.***.gr |  Greece | ***,*** | |
| ***.********.it |  Italy | ***,*** |
FAQ
A total of 470 websites have been identified as vulnerable to CVE-2026-2297, based on global website indexing conducted by WebTechSurvey.
The CPython is affected by the CVE-2026-2297 vulnerability.
CPython versions up to 3.14.4 are vulnerable to CVE-2026-2297.
CVE-2026-2297 is resolved in version 3.14.4 of CPython.
References
- https://github.com/python/cpython/issues/145506
- https://github.com/python/cpython/pull/145507
- https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e
- https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e
- https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86