CVE-2026-0672
Header injection in http.cookies.Morsel
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
| CWE | CWE-93 |
| Vendor | python software foundation |
| Product | cpython |
| Published | Jan 20, 2026 |
| Last Updated | Mar 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for python software foundation cpython
Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Python Software Foundation / CPython
0 < 3.10.20 3.11.0 < 3.11.15 3.12.0 < 3.12.13 3.13.0 < 3.13.12 3.14.0 < 3.14.3 3.15.0a1 < 3.15.0a6
References
github.com: https://github.com/python/cpython/pull/143920 github.com: https://github.com/python/cpython/issues/143919 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/ github.com: https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70 github.com: https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440 github.com: https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172 github.com: https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d github.com: https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca github.com: https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85
Credits
๐ Omar M. Hasan