CVE-2026-3644
MEDIUM
6,0
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
20
Improper Input Validation
StableCommon Consequences
Security Scopes Affected:
Availability
Confidentiality
Integrity
Potential Impacts:
Dos: Crash, Exit, Or Restart
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Read Memory
Read Files Or Directories
Modify Memory
Execute Unauthorized Code Or Commands
Applicable Platforms
All platforms may be affected
116
Improper Encoding or Escaping of Output
DraftCommon Consequences
Security Scopes Affected:
Integrity
Confidentiality
Availability
Access Control
Potential Impacts:
Modify Application Data
Execute Unauthorized Code Or Commands
Bypass Protection Mechanism
Applicable Platforms
Technologies:
AI/ML, Database Server, Not Technology-Specific, Web Server
https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6…
https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590…
https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979…
https://github.com/python/cpython/issues/145599
https://github.com/python/cpython/pull/145600
https://mail.python.org/archives/list/[email protected]/thread/H6CAD…