CVE-2026-0864
Configuration Injection via Carriage Return (\r) in write() method
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.
| Vendor | python software foundation |
| Product | cpython |
| Published | Jun 23, 2026 |
| Last Updated | Jun 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for python software foundation cpython
Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Python Software Foundation / CPython
0 < 3.15.0
References
github.com: https://github.com/python/cpython/pull/151559 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/ github.com: https://github.com/python/cpython/issues/143927 github.com: https://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f
Credits
๐ D0n9 (https://github.com/D0n9) Petr Viktorin (https://github.com/encukou) Seth Larson (https://github.com/sethmlarson)