CVE-2025-11468CRLF Injection in Software Foundation Cpython

CWE-93CRLF InjectionCWE-140Improper Neutralization of Delimiters10 documents8 sources
Severity
5.7MEDIUMNVD
EPSS
0.0%
top 88.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Software Foundation Cpython
Timeline
PublishedJan 20
Latest updateMar 19

Description

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5python_software_foundation/cpython3.11.03.11.15+5

🔴Vulnerability Details

5
OSV
python2.7 vulnerabilities2026-03-19
OSV
python3.14, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4 vulnerabilities2026-02-05
GHSA
GHSA-39h2-3mq3-959g: When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved2026-01-21
CVEList
Folding email comments of unfoldable characters doesn't preserve parenthesis2026-01-20
OSV
CVE-2025-11468: When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved2026-01-20

📋Vendor Advisories

3
Ubuntu
Python vulnerabilities2026-02-05
Red Hat
cpython: Missing character filtering in Python2026-01-20
Debian
CVE-2025-11468: jython - When folding a long comment in an email header containing exclusively unfoldable...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-11468 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-11468 — CRLF Injection | cvebase