CVE-2026-1299
email BytesGenerator header injection due to unquoted newlines
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
| CWE | CWE-93 |
| Vendor | python software foundation |
| Product | cpython |
| Published | Jan 23, 2026 |
| Last Updated | Mar 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for python software foundation cpython
Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Python Software Foundation / CPython
0 < 3.10.20 3.11.0 < 3.11.15 3.12.0 < 3.12.13 3.13.0 < 3.13.12 3.14.0 < 3.14.3 3.15.0a1 < 3.15.0a6
References
github.com: https://github.com/python/cpython/pull/144126 github.com: https://github.com/python/cpython/issues/144125 cve.org: https://cve.org/CVERecord?id=CVE-2024-6923 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/ github.com: https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413 github.com: https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8 github.com: https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9 github.com: https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4 github.com: https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36 github.com: https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a