CVE-2026-3644 — Incomplete Filtering of Special Elements in Software Foundation Cpython
Severity
6.0MEDIUMNVD
EPSS
0.1%
top 70.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 16
Description
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Packages1 packages
🔴Vulnerability Details
4GHSA▶
GHSA-vf33-88pf-hwp3: The fix for CVE-2026-0672, which rejected control characters in http↗2026-03-16
📋Vendor Advisories
3🕵️Threat Intelligence
1💬Community
5Bugzilla▶
CVE-2026-3644 python3.14: Incomplete control character validation in http.cookies [fedora-all]↗2026-03-16
Bugzilla▶
CVE-2026-3644 mingw-python3: Incomplete control character validation in http.cookies [fedora-all]↗2026-03-16
Bugzilla▶
CVE-2026-3644 python3.15: Incomplete control character validation in http.cookies [fedora-all]↗2026-03-16
Bugzilla▶
CVE-2026-3644 python3.13: Incomplete control character validation in http.cookies [fedora-all]↗2026-03-16