QwikSec

Security Database

CVE

CWE

Training

CVE-2026-0672

Published: Jan 20, 2026

Modified: Mar 3, 2026

PUBLISHED

Description

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Vendor	Product	Versions
Python Software Foundation	CPython	affected `0 - < 3.10.20` affected `3.11.0 - < 3.11.15` affected `3.12.0 - < 3.12.13` affected `3.13.0 - < 3.13.12` affected `3.14.0 - < 3.14.3` +1 more versions

Weaknesses (CWE)

References

https://github.com/python/cpython/pull/143920

patch

https://github.com/python/cpython/issues/143919

issue-tracking

https://mail.python.org/archives/list/[email protected]/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/

vendor-advisory

https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70

patch

https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440

patch

https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172

patch

https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d

patch

https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca

patch

https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.