CVE-2026-0672 — CRLF Injection in Software Foundation Cpython

CWE-93 — CRLF Injection CWE-791 — Incomplete Filtering of Special Elements13 documents9 sources

Severity

6.0MEDIUMNVD

OSV5.7

EPSS

0.2%

top 63.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython

Timeline

PublishedJan 20

Latest updateMar 19

Description

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5python_software_foundation/cpython3.11.0 — 3.11.15+8

🔴Vulnerability Details

OSV

python2.7 vulnerabilities↗2026-03-19

▶

GHSA

GHSA-x85f-j5v8-5vrv: When using http↗2026-01-21

▶

CVEList

Header injection in http.cookies.Morsel↗2026-01-20

▶

OSV

CVE-2026-0672: When using http↗2026-01-20

▶

📋Vendor Advisories

Ubuntu

Python 2.7 vulnerabilities↗2026-03-19

▶

Red Hat

cpython: Incomplete control character validation in http.cookies↗2026-03-16

▶

Ubuntu

Python vulnerabilities↗2026-02-05

▶

Red Hat

cpython: Header injection in http.cookies.Morsel in Python↗2026-01-20

▶

Debian

CVE-2026-0672: pypy3 - When using http.cookies.Morsel, user-controlled cookie values and parameters can...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0672 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-3644 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-3644 cpython: Incomplete control character validation in http.cookies↗2026-03-16

▶