CVE-2026-0672

MEDIUM

http - Cookie Injection

Title source: llm

Description

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

References (9)

[Various Sources] https://mail.python.org/archives/list/[email protected]/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/

[Patch] https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70

[Patch] https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440

[Patch] https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172

View Patch ZIP pw:eip

[Patch] https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d

[Patch] https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca

[Patch] https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85

[Issue Tracking] https://github.com/python/cpython/issues/143919

[Issue Tracking] https://github.com/python/cpython/pull/143920

Scores

CVSS v4 6.0

EPSS 0.0016

EPSS Percentile 36.2%

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (6)

Python Software Foundation/CPython < 3.10.20

Python Software Foundation/CPython 3.11.0 - 3.11.15

Python Software Foundation/CPython 3.12.0 - 3.12.13

Python Software Foundation/CPython 3.13.0 - 3.13.12

Python Software Foundation/CPython 3.14.0 - 3.14.3

Python Software Foundation/CPython 3.15.0a1 - 3.15.0a6

Published Jan 20, 2026

Tracked Since Feb 18, 2026