CVE-2026-1299

MEDIUM

Email module - Header Injection

Title source: llm

Description

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".

References (10)

[Issue Tracking] https://github.com/python/cpython/pull/144126

[Issue Tracking] https://github.com/python/cpython/issues/144125

[Various Sources] https://cve.org/CVERecord?id=CVE-2024-6923

[Various Sources] https://mail.python.org/archives/list/[email protected]/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/

[Patch] https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413

View Patch ZIP pw:eip

[Patch] https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8

[Patch] https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9

[Patch] https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4

[Patch] https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36

[Patch] https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a

Scores

CVSS v4 6.0

EPSS 0.0004

EPSS Percentile 13.4%

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-93

Status published

Published Jan 23, 2026

Tracked Since Feb 18, 2026