Home

Description

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

PUBLISHED Reserved 2026-01-27 | Published 2026-04-10 | Updated 2026-05-12 | Assigner PSF




MEDIUM: 5.7CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Product status

Default status
unaffected

Any version before 3.14.5rc1
affected

3.15.0a1 (python) before 3.15.0b1
affected

Credits

senseicat reporter

Seth Larson coordinator

References

www.openwall.com/lists/oss-security/2026/04/11/4

github.com/python/cpython/pull/146212 patch

github.com/python/cpython/issues/146211 issue-tracking

mail.python.org/.../thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/ vendor-advisory

github.com/...ommit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 patch

github.com/...ommit/b1cf9016335cb637c5a425032e8274a224f4b2ed patch

cve.org (CVE-2026-1502)

nvd.nist.gov (CVE-2026-1502)

Download JSON