CVE-2026-0672

http - Cookie Injection

Title source: llm

Description

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

References (9)

[Various Sources] https://mail.python.org/archives/list/[email protected]/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/

[Patch] https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172

View Patch ZIP pw:eip

[Patch] https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440

[Patch] https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d

[Patch] https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca

[Patch] https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70

[Patch] https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85

[Issue Tracking] https://github.com/python/cpython/issues/143919

[Issue Tracking] https://github.com/python/cpython/pull/143920

Scores

EPSS 0.0016

EPSS Percentile 37.1%

Classification

CWE

CWE-93

Status draft

Timeline

Published Jan 20, 2026

Tracked Since Feb 18, 2026