CVE-2026-0672

MEDIUM

CPython HTTP Header Injection via http.cookies.Morsel

Title source: llm

Description

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

References (9)

Core 9

Core References

Various Sources vendor-advisory

https://mail.python.org/archives/list/[email protected]/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/

Patch patch

https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85

View Patch ZIP pw:eip

Issue Tracking issue-tracking

https://github.com/python/cpython/issues/143919

Issue Tracking patch

https://github.com/python/cpython/pull/143920

Scores

CVSS v4 6.0

EPSS 0.0040

EPSS Percentile 31.6%

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (6)

Python Software Foundation/CPython < 3.10.20

Python Software Foundation/CPython 3.11.0 - 3.11.15

Python Software Foundation/CPython 3.12.0 - 3.12.13

Python Software Foundation/CPython 3.13.0 - 3.13.12

Python Software Foundation/CPython 3.14.0 - 3.14.3

Python Software Foundation/CPython 3.15.0a1 - 3.15.0a6

Published Jan 20, 2026

Tracked Since Feb 18, 2026