CVE-2026-3644

UNKNOWN 0.0

Incomplete control character validation in http.cookies

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

30th

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Vendor	python software foundation
Product	cpython
Published	Mar 16, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for python software foundation cpython

Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Python Software Foundation / CPython

0 < 3.13.13 3.14.0 < 3.14.4 3.15.0a1 < 3.15.0a8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/ github.com: https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4 github.com: https://github.com/python/cpython/issues/145599 github.com: https://github.com/python/cpython/pull/145600 github.com: https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd github.com: https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd

Credits

Stan Ulbrych Stan Ulbrych Victor Stinner Seth Larson 🔍 Vyom Yadav