QwikSec

Security Database

CVE

CWE

Training

CVE-2026-1299

Published: Jan 23, 2026

Modified: Mar 3, 2026

PUBLISHED

Description

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".

Vendor	Product	Versions
Python Software Foundation	CPython	affected `0 - < 3.10.20` affected `3.11.0 - < 3.11.15` affected `3.12.0 - < 3.12.13` affected `3.13.0 - < 3.13.12` affected `3.14.0 - < 3.14.3` +1 more versions

Weaknesses (CWE)

References

https://github.com/python/cpython/pull/144126

patch

https://github.com/python/cpython/issues/144125

issue-tracking

https://cve.org/CVERecord?id=CVE-2024-6923

related

https://mail.python.org/archives/list/[email protected]/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/

vendor-advisory

https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413

patch

https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8

patch

https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9

patch

https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4

patch

https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36

patch

https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.