Vulnerability DatabaseCVE-2026-0672
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-0672
January 20, 2026
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
Related ResourcesĀ (9)
https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440
https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70
https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/
https://github.com/python/cpython/pull/143920
https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85
https://github.com/python/cpython/issues/143919
https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca
https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d
https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172
Do you need more information?
Contact Us
CVSS v4
Base Score:
6
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-93
EPSS
Base Score:
0.08