Home > Vulnerability Database > CVE-2026-0672

Mend.io Vulnerability Database

CVE-2026-0672

Good to know:

Date: January 20, 2026

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Severity Score

7.1

Related Resources (11)

Url: https://github.com/python/cpython/pull/143920

Url: https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440

Url: https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d

Url: https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70

Url: https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/

Url: https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca

Url: https://github.com/python/cpython/issues/143919

Url: https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85

Url: https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-0672

Url: https://www.mend.io/vulnerability-database/CVE-2026-0672

Severity Score

7.1

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-93

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-0672

Good to know:

Date: January 20, 2026

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?