{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0672", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-01-07T17:08:45.326Z", "datePublished": "2026-01-20T21:52:33.925Z", "dateUpdated": "2026-03-03T14:43:20.490Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["http.cookies"], "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"version": "0", "lessThan": "3.10.20", "status": "affected", "versionType": "python"}, {"version": "3.11.0", "lessThan": "3.11.15", "status": "affected", "versionType": "python"}, {"version": "3.12.0", "lessThan": "3.12.13", "status": "affected", "versionType": "python"}, {"version": "3.13.0", "lessThan": "3.13.12", "status": "affected", "versionType": "python"}, {"version": "3.14.0", "lessThan": "3.14.3", "status": "affected", "versionType": "python"}, {"version": "3.15.0a1", "lessThan": "3.15.0a6", "status": "affected", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Omar M. Hasan"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters."}], "value": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "description": "CWE-93", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-03-03T14:43:20.490Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/python/cpython/pull/143920"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/143919"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85"}], "source": {"discovery": "UNKNOWN"}, "title": "Header injection in http.cookies.Morsel", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T15:40:11.672802Z", "id": "CVE-2026-0672", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T16:14:06.341Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0672", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T15:40:11.672802Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T15:48:28.463Z"}}], "cna": {"title": "Header injection in http.cookies.Morsel", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Omar M. Hasan"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "modules": ["http.cookies"], "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.10.20", "versionType": "python"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.15", "versionType": "python"}, {"status": "affected", "version": "3.12.0", "lessThan": "3.12.13", "versionType": "python"}, {"status": "affected", "version": "3.13.0", "lessThan": "3.13.12", "versionType": "python"}, {"status": "affected", "version": "3.14.0", "lessThan": "3.14.3", "versionType": "python"}, {"status": "affected", "version": "3.15.0a1", "lessThan": "3.15.0a6", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/pull/143920", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/issues/143919", "tags": ["issue-tracking"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "supportingMedia": [{"type": "text/html", "value": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-03-03T14:43:20.490Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0672", "state": "PUBLISHED", "dateUpdated": "2026-03-03T14:43:20.490Z", "dateReserved": "2026-01-07T17:08:45.326Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2026-01-20T21:52:33.925Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters."}, {"lang": "es", "value": "Al usar http.cookies.Morsel, los valores y par\u00e1metros de cookie controlados por el usuario pueden permitir la inyecci\u00f3n de encabezados HTTP en los mensajes. El parche rechaza todos los caracteres de control dentro de los nombres, valores y par\u00e1metros de las cookies."}], "id": "CVE-2026-0672", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2026-01-20T22:15:52.680", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/143919"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/143920"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "cna@python.org", "type": "Secondary"}]}

{"bugzilla": {"description": "cpython: Header injection in http.cookies.Morsel in Python", "id": "2431374", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431374"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-93", "details": ["When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-0672", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python39-devel:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}], "public_date": "2026-01-20T21:52:33Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0672\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0672\nhttps://github.com/python/cpython/issues/143919\nhttps://github.com/python/cpython/pull/143920"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-16T18:01:35.538547+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest CPython release that contains the http.cookies.Morsel patch.", "Sanitize cookie names, values, and parameters in application code to reject control characters before passing them to http.cookies.Morsel.", "Review the application code to ensure that no untrusted user input is used to construct HTTP response headers, and apply input validation where necessary."], "summary": {"action": "Apply Patch", "impact": "HTTP Header Injection via http.cookies.Morsel"}, "threat_synthesis": {"affected_systems": "Python Software Foundation CPython is affected. Any CPython installation that uses the unpatched http.cookies.Morsel implementation and where application code allows user\u2011controlled cookie values is vulnerable. The specific version range is not listed, but the commit history indicates the issue existed before the patch was applied.", "description_and_impact": "The vulnerability in http.cookies.Morsel allows an attacker to insert arbitrary HTTP header lines by including control characters in cookie names, values, or parameters. This can lead to HTTP response splitting, header injection, or cross\u2011site scripting via crafted headers. The flaw stems from insufficient validation of cookie components, classified as CWE\u201193.", "risk_and_exploitability": "The CVSS score of 6.0 indicates medium severity, while the EPSS of less than 1% suggests a low probability of exploitation at the moment. The vulnerability has not been listed in the CISA KEV catalog. An attacker would need to control cookie values, which is typically feasible via a web application that trusts client input. The mitigation already rejects control characters, meaning the risk can be reduced through upgrading or input filtering."}}}}, "created": "2026-01-21T11:18:45.866543+00:00", "updated": "2026-04-16T18:15:43.268514+00:00", "vendors": ["python", "python$PRODUCT$cpython"]}