CVE-2026-0672

EUVD-2026-3521
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CRLF Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
PSFCNA
6 MEDIUM
NETWORK
LOW
LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
pythoncpython
𝑥
< 3.10.20
CNA
pythoncpython
3.11.0 ≤
𝑥
< 3.11.15
CNA
pythoncpython
3.12.0 ≤
𝑥
< 3.12.13
CNA
pythoncpython
3.13.0 ≤
𝑥
< 3.13.12
CNA
pythoncpython
3.14.0 ≤
𝑥
< 3.14.3
CNA
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172
https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440
https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d
https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca
https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70
https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85
https://github.com/python/cpython/issues/143919
https://github.com/python/cpython/pull/143920
https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/