CVE-2026-1502 — CRLF Injection in Software Foundation Cpython

CWE-93 — CRLF Injection18 documents6 sources

Severity

5.7MEDIUMNVD

EPSS

0.1%

top 82.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython

Timeline

PublishedApr 10

Latest updateApr 13

Description

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5python_software_foundation/cpython< 3.15.0

🔴Vulnerability Details

VulDB

Python CPython up to 3.14.x HTTP Client Proxy Tunnel crlf injection (ID 146211 / EUVD-2026-21519)↗2026-04-10

▶

GHSA

GHSA-hjxq-7w9q-2jw6: CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host↗2026-04-10

▶

CVEList

HTTP client proxy tunnel headers not validated for CR/LF↗2026-04-10

▶

📋Vendor Advisories

Red Hat

python: Python: HTTP header injection via CR/LF in proxy tunnel headers↗2026-04-10

▶

💬Community

Bugzilla

CVE-2026-1502 mingw-python3: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]↗2026-04-13

▶

Bugzilla

CVE-2026-1502 python3.6: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]↗2026-04-13

▶

Bugzilla

CVE-2026-1502 python3.10: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]↗2026-04-13

▶

Bugzilla

CVE-2026-1502 python3.9: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]↗2026-04-13

▶

Bugzilla

CVE-2026-1502 python3.15: Python: HTTP header injection via CR/LF in proxy tunnel headers [fedora-all]↗2026-04-13

▶