Home > Vulnerability Database > CVE-2026-1299

Mend.io Vulnerability Database

CVE-2026-1299

Good to know:

Date: January 23, 2026

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".

Severity Score

7.1

Related Resources (11)

Url: https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8

Url: https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4

Url: https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413

Url: https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36

Url: https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9

Url: https://github.com/python/cpython/issues/144125

Url: https://github.com/python/cpython/pull/144126

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-1299

Url: https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/

Url: https://cve.org/CVERecord?id=CVE-2024-6923

Url: https://www.mend.io/vulnerability-database/CVE-2026-1299

Severity Score

7.1

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-93

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-1299

Good to know:

Date: January 23, 2026

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?