CVE-2026-42874

Published: May 11, 2026

Modified: May 13, 2026

PUBLISHED

CVSS v3.1

3.7

LOW

Description

Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious information that is destined to be stored in a cookie by the server on behalf of the victim. An attacker that infiltrates one client can only orchestrate a header injection attack for that client, all other clients that were not infiltrated are safe. This vulnerability is fixed in 2.6.1.

Vendor	Product	Versions
miguelgrinberg	microdot	affected `< 2.6.1`

Weaknesses (CWE)

CWE-113

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/miguelgrinberg/microdot/security/advisories/GHSA-7wc8-wvc4-m498

x_refsource_CONFIRM

https://github.com/miguelgrinberg/microdot/commit/99b281b45faef8472410f2d56bfef496dfbd95d5

x_refsource_MISC

https://github.com/miguelgrinberg/microdot/blob/main/CHANGES.md

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-42874

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References