CVE-2026-3644

EUVD-2026-12484
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6 MEDIUM
NETWORK
LOW
LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
pythoncpython
𝑥
< 3.15.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python3.11
bookworm
vulnerable
bookworm (security)
vulnerable
python3.13
forky
vulnerable
sid
vulnerable
trixie
vulnerable
python3.14
forky
vulnerable
sid
vulnerable
python3.9
bullseye
vulnerable
bullseye (security)
vulnerable
Common Weakness Enumeration
References
https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4
https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd
https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd
https://github.com/python/cpython/issues/145599
https://github.com/python/cpython/pull/145600
https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/