CVE-2026-1299

EUVD-2026-4272
The 
email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when 
serializing an email message allowing for header injection when an email
 is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
CRLF Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Debian logo
Debian Releases
Debian Product
Codename
pypy3
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
no-dsa
python3.11
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
trixie
no-dsa
python3.13
bookworm
no-dsa
bullseye
postponed
forky
3.13.12-1
fixed
sid
3.13.12-1
fixed
trixie
no-dsa
python3.14
bookworm
no-dsa
bullseye
postponed
forky
3.14.3-1
fixed
sid
3.14.3-1
fixed
trixie
no-dsa
python3.9
bookworm
no-dsa
bullseye
postponed
bullseye (security)
3.9.2-1+deb11u5
fixed
trixie
no-dsa
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://cve.org/CVERecord?id=CVE-2024-6923
https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413
https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8
https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9
https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4
https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36
https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a
https://github.com/python/cpython/issues/144125
https://github.com/python/cpython/pull/144126
https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/