CVE-2026-1299 — CRLF Injection in Software Foundation Cpython

CWE-93 — CRLF Injection7 documents7 sources

Severity

6.0MEDIUMNVD

EPSS

0.0%

top 86.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython

Timeline

PublishedJan 23

Description

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5python_software_foundation/cpython3.11.0 — 3.11.15+5

🔴Vulnerability Details

GHSA

GHSA-jh94-8q48-f3m3: The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing↗2026-01-23

▶

CVEList

email BytesGenerator header injection due to unquoted newlines↗2026-01-23

▶

OSV

CVE-2026-1299: The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing↗2026-01-23

▶

📋Vendor Advisories

Red Hat

cpython: email header injection due to unquoted newlines↗2026-01-23

▶

Debian

CVE-2026-1299: pypy3 - The email module, specifically the "BytesGenerator" class, didn’t properly quot...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-1299 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶