CVE-2026-0865 — Injection in Software Foundation Cpython

CWE-74 — Injection12 documents8 sources

Severity

5.9MEDIUMNVD

OSV5.7

EPSS

0.1%

top 67.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython

Timeline

PublishedJan 20

Latest updateMar 19

Description

User-controlled header names and values containing newlines can allow injecting HTTP headers.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5python_software_foundation/cpython3.11.0 — 3.11.15+5

🔴Vulnerability Details

OSV

python2.7 vulnerabilities↗2026-03-19

▶

OSV

python3.4, python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, python3.14 regression↗2026-03-09

▶

GHSA

GHSA-5mc7-p6pj-r3f5: User-controlled header names and values containing newlines can allow injecting HTTP headers↗2026-01-21

▶

OSV

CVE-2026-0865: User-controlled header names and values containing newlines can allow injecting HTTP headers↗2026-01-20

▶

CVEList

wsgiref.headers.Headers allows header newline injection↗2026-01-20

▶

📋Vendor Advisories

Ubuntu

Python 2.7 vulnerabilities↗2026-03-19

▶

Ubuntu

Python regression↗2026-03-09

▶

Ubuntu

Python vulnerabilities↗2026-02-05

▶

Red Hat

cpython: wsgiref.headers.Headers allows header newline injection in Python↗2026-01-20

▶

Debian

CVE-2026-0865: jython - User-controlled header names and values containing newlines can allow injecting ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0865 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶