{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1299", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-01-21T18:30:52.594Z", "datePublished": "2026-01-23T16:27:13.346Z", "dateUpdated": "2026-03-03T14:43:35.655Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["email"], "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"version": "0", "lessThan": "3.10.20", "status": "affected", "versionType": "python"}, {"version": "3.11.0", "lessThan": "3.11.15", "status": "affected", "versionType": "python"}, {"version": "3.12.0", "lessThan": "3.12.13", "status": "affected", "versionType": "python"}, {"version": "3.13.0", "lessThan": "3.13.12", "status": "affected", "versionType": "python"}, {"version": "3.14.0", "lessThan": "3.14.3", "status": "affected", "versionType": "python"}, {"version": "3.15.0a1", "lessThan": "3.15.0a6", "status": "affected", "versionType": "python"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The \nemail module, specifically the \"BytesGenerator\" class, didn\u2019t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\"."}], "value": "The \nemail module, specifically the \"BytesGenerator\" class, didn\u2019t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\"."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "description": "CWE-93", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-03-03T14:43:35.655Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/python/cpython/pull/144126"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/144125"}, {"tags": ["related"], "url": "https://cve.org/CVERecord?id=CVE-2024-6923"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a"}], "source": {"discovery": "UNKNOWN"}, "title": "email BytesGenerator header injection due to unquoted newlines", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T16:55:59.722632Z", "id": "CVE-2026-1299", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T16:56:22.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1299", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T16:55:59.722632Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T16:56:16.248Z"}}], "cna": {"title": "email BytesGenerator header injection due to unquoted newlines", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "modules": ["email"], "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.10.20", "versionType": "python"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.15", "versionType": "python"}, {"status": "affected", "version": "3.12.0", "lessThan": "3.12.13", "versionType": "python"}, {"status": "affected", "version": "3.13.0", "lessThan": "3.13.12", "versionType": "python"}, {"status": "affected", "version": "3.14.0", "lessThan": "3.14.3", "versionType": "python"}, {"status": "affected", "version": "3.15.0a1", "lessThan": "3.15.0a6", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/pull/144126", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/issues/144125", "tags": ["issue-tracking"]}, {"url": "https://cve.org/CVERecord?id=CVE-2024-6923", "tags": ["related"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The \nemail module, specifically the \"BytesGenerator\" class, didn\u2019t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "supportingMedia": [{"type": "text/html", "value": "The \nemail module, specifically the \"BytesGenerator\" class, didn\u2019t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-03-03T14:43:35.655Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1299", "state": "PUBLISHED", "dateUpdated": "2026-03-03T14:43:35.655Z", "dateReserved": "2026-01-21T18:30:52.594Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2026-01-23T16:27:13.346Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The \nemail module, specifically the \"BytesGenerator\" class, didn\u2019t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\"."}, {"lang": "es", "value": "El m\u00f3dulo de correo electr\u00f3nico, espec\u00edficamente la clase 'BytesGenerator', no escapaba correctamente los saltos de l\u00ednea para los encabezados de correo electr\u00f3nico al serializar un mensaje de correo electr\u00f3nico, lo que permit\u00eda la inyecci\u00f3n de encabezados cuando se serializa un correo electr\u00f3nico. Esto solo es aplicable si se utiliza 'LiteralHeader' para escribir encabezados que no respetan las reglas de plegado de correo electr\u00f3nico; el nuevo comportamiento rechazar\u00e1 los encabezados plegados incorrectamente en 'BytesGenerator'."}], "id": "CVE-2026-1299", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2026-01-23T17:16:12.977", "references": [{"source": "cna@python.org", "url": "https://cve.org/CVERecord?id=CVE-2024-6923"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/144125"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/144126"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "cna@python.org", "type": "Secondary"}]}

{"bugzilla": {"description": "cpython: email header injection due to unquoted newlines", "id": "2432437", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432437"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-93", "details": ["The \nemail module, specifically the \"BytesGenerator\" class, didn\u2019t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\nis serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "A flaw was found in the email module in the Python standard library. When serializing an email message, the BytesGenerator class fails to properly quote newline characters for email headers. This issue is exploitable when the LiteralHeader class is used as it does not respect email folding rules, allowing an attacker to inject email headers and potentially modify message recipients or the email body, and spoof sender information."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, applications accepting user-supplied data for email headers should sanitize the input by stripping or rejecting any strings containing carriage return or line feed characters, '\\r' or '\\n', respectively, preventing malicious sequences that could lead to header manipulation."}, "name": "CVE-2026-1299", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python39-devel:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-01-23T16:27:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1299\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1299\nhttps://cve.org/CVERecord?id=CVE-2024-6923\nhttps://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413\nhttps://github.com/python/cpython/issues/144125\nhttps://github.com/python/cpython/pull/144126\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/"], "statement": "This issue can only be exploitable by Python applications using the LiteralHeader class to write email headers, as it does not respect email folding rules. Additionally, this issue allows attackers to modify message recipients or the email body and spoof sender identity but it does not cause memory corruption or arbitrary code execution. Due to these reasons, this vulnerability has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-16T17:43:09.366968+00:00", "value": {"mitigation_remediation": ["Upgrade CPython to a version that incorporates the patch committed on 052e55e7- ... to ensure correct quotation of newlines in email headers.", "If upgrading is not immediately feasible, modify application code to avoid using LiteralHeader for any data that can be influenced by users, and instead use the Header class or explicitly escape newline characters before passing them to.BytesGenerator.", "Configure or harden the email module to reject incorrectly folded headers, or wrap the header generation logic with validation that enforces email folding rules and rejects unquoted newline characters."], "summary": {"action": "Apply Patch", "impact": "Header Injection"}, "threat_synthesis": {"affected_systems": "All CPython installations that employ the email module\u2019s BytesGenerator with the LiteralHeader writer are vulnerable. The exact version range is not specified, so any build prior to the commit that introduced the fix should be considered affected.", "description_and_impact": "The BytesGenerator class in CPython\u2019s email module failed to quote newline characters in headers during serialization, enabling an attacker who can influence header data to inject arbitrary email headers. The flaw manifests when using the LiteralHeader writer, which does not enforce email folding rules. Successful exploitation could lead to email spoofing, content corruption, or delivery of malicious content to recipients.", "risk_and_exploitability": "The CVSS score of six reflects a moderate severity, while the EPSS probability of less than one percent indicates low likelihood of widespread exploitation. The vulnerability is not present in the CISA KEV list, suggesting it has not been observed in the wild. Likely attack vectors involve applications that construct and send email messages using untrusted header input, giving an attacker the capacity to manipulate header fields. The absence of a KEV listing reduces urgency, but the nature of header injection remains a valid concern for message integrity."}}}}, "created": "2026-01-26T11:53:43.927425+00:00", "updated": "2026-04-16T17:45:27.382531+00:00", "vendors": ["python", "python$PRODUCT$cpython"]}