CVE-2026-0865 | THREATINT

Description

User-controlled header names and values containing newlines can allow injecting HTTP headers.

PUBLISHED Reserved 2026-01-12 | Published 2026-01-20 | Updated 2026-02-23 | Assigner PSF

MEDIUM: 5.9CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Product status

Default status

unaffected

Any version before 3.13.12

affected

3.14.0 (python) before 3.14.3

affected

3.15.0a1 (python) before 3.15.0a6

affected

Credits

Omar M. Hasan reporter

References

github.com/python/cpython/pull/143917 patch

github.com/python/cpython/issues/143916 issue-tracking

mail.python.org/.../thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/ vendor-advisory

github.com/...ommit/22e4d55285cee52bc4dbe061324e5f30bd4dee58 patch

github.com/...ommit/23e3c0ae867cca0130e441e776c9955b9027c510 patch

github.com/...ommit/4802b96a2cde58570c24c13ef3289490980961c5 patch

github.com/...ommit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211 patch

github.com/...ommit/2f840249550e082dc351743f474ba56da10478d2 patch

github.com/...ommit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995 patch

github.com/...ommit/66da7bf6fe7b81e3ecc9c0a25bd47d4616c8d1a6 patch

github.com/...ommit/83ecd18779f286d872f68bfce175651e407d9fff patch

github.com/...ommit/bfba660085767f8c2d582134e9d511a85eda04cf patch

cve.org (CVE-2026-0865)

nvd.nist.gov (CVE-2026-0865)

Download JSON

help @ threatint.eu