-------- Forwarded Message -------- Subject: [Security-announce][CVE-2026-3644] Incomplete control character validation in http.cookies Date: Mon, 16 Mar 2026 17:28:35 +0000 From: Stan Ulbrych via Security-announce <[email protected]> Reply-To: [email protected] To: [email protected] CC: Stan Ulbrych <[email protected]> There is a MEDIUM severity vulnerability affecting CPython. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-3644 * https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4 -- Best regards, Stan Ulbrych. _______________________________________________ Security-announce mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/security-announce.python.org
