Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-vf33-88pf-hwp3

Опубликовано: 16 мар. 2026
Источник: github
Github: Не прошло ревью
CVSS4: 6

Описание

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Ссылки

EPSS

Процентиль: 30%
0.00113
Низкий

6 Medium

CVSS4

CVE ID

CVE-2026-3644

Дефекты

CWE-20

Связанные уязвимости

ubuntu логотип

CVE-2026-3644

ubuntu
10 дней назад

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

redhat логотип

CVE-2026-3644

CVSS3: 5.4
redhat
10 дней назад

A control character validation flaw has been discovered in the Python http.cookie module. The Morsel.update(), |= operator, and unpickling paths were not patched to resolve CVE-2026-0672, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

nvd логотип

CVE-2026-3644

nvd
10 дней назад

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

msrc логотип

CVE-2026-3644

msrc
8 дней назад

Incomplete control character validation in http.cookies

debian логотип

CVE-2026-3644

debian
10 дней назад

The fix for CVE-2026-0672, which rejected control characters in http.c ...

EPSS

Процентиль: 30%
0.00113
Низкий

6 Medium

CVSS4

CVE ID

CVE-2026-3644

Дефекты

CWE-20