CVE-2026-3644 | THREATINT

Description

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

PUBLISHED Reserved 2026-03-06 | Published 2026-03-16 | Updated 2026-04-07 | Assigner PSF

MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Product status

Default status

unaffected

Any version before 3.13.13

affected

3.14.0 (python) before 3.14.4

affected

3.15.0a1 (python) before 3.15.0a8

affected

Credits

Stan Ulbrych coordinator

Stan Ulbrych remediation developer

Victor Stinner remediation reviewer

Seth Larson remediation reviewer

Vyom Yadav reporter

References

mail.python.org/.../thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/ vendor-advisory

github.com/...ommit/57e88c1cf95e1481b94ae57abe1010469d47a6b4 patch

github.com/python/cpython/issues/145599 issue-tracking

github.com/python/cpython/pull/145600 patch

github.com/...ommit/62ceb396fcbe69da1ded3702de586f4072b590dd patch

github.com/...ommit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd patch

cve.org (CVE-2026-3644)

nvd.nist.gov (CVE-2026-3644)

Download JSON

help @ threatint.eu