Vulnerability DatabaseCVE-2026-1299
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-1299
January 23, 2026
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
Related Resources (10)
https://github.com/python/cpython/pull/144126
https://cve.org/CVERecord?id=CVE-2024-6923
https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413
https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8
https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4
https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/
https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9
https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36
https://github.com/python/cpython/issues/144125
https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a
Do you need more information?
Contact Us
CVSS v4
Base Score:
6
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-93
EPSS
Base Score:
0.03