CVE-2026-0672

Опубликовано: 20 янв. 2026

Источник: redhat

CVSS3: 4.8

EPSS Низкий

Описание

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

An injection flaw has been discovered in Python. When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 10	firefox	Fix deferred
Red Hat Enterprise Linux 10	python3.12	Fix deferred
Red Hat Enterprise Linux 10	python3.14	Fix deferred
Red Hat Enterprise Linux 6	python	Fix deferred
Red Hat Enterprise Linux 7	firefox	Fix deferred
Red Hat Enterprise Linux 7	python	Fix deferred
Red Hat Enterprise Linux 7	python3	Fix deferred
Red Hat Enterprise Linux 8	firefox	Fix deferred
Red Hat Enterprise Linux 8	python3	Fix deferred
Red Hat Enterprise Linux 8	python3.11	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-93

https://bugzilla.redhat.com/show_bug.cgi?id=2431374cpython: Header injection in http.cookies.Morsel in Python

EPSS

Процентиль: 37%

0.00158

Низкий

4.8 Medium

CVSS3

Связанные уязвимости

CVE-2026-0672

ubuntu

2 месяца назад

CVE-2026-0672

nvd

2 месяца назад

CVE-2026-0672

debian

2 месяца назад

When using http.cookies.Morsel, user-controlled cookie values and para ...

GHSA-x85f-j5v8-5vrv

github

2 месяца назад

SUSE-SU-2026:0590-1

suse-cvrf

около 1 месяца назад

Security update for python

EPSS

Процентиль: 37%

0.00158

Низкий

4.8 Medium

CVSS3