CVE-2026-3644

Опубликовано: 16 мар. 2026

Источник: redhat

CVSS3: 5.4

EPSS Низкий

Описание

A control character validation flaw has been discovered in the Python http.cookie module. The Morsel.update(), |= operator, and unpickling paths were not patched to resolve CVE-2026-0672, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 10	python3.12	Fix deferred
Red Hat Enterprise Linux 10	python3.14	Fix deferred
Red Hat Enterprise Linux 6	python	Fix deferred
Red Hat Enterprise Linux 7	python	Fix deferred
Red Hat Enterprise Linux 7	python3	Fix deferred
Red Hat Enterprise Linux 8	python3	Fix deferred
Red Hat Enterprise Linux 8	python3.11	Fix deferred
Red Hat Enterprise Linux 8	python3.12	Fix deferred
Red Hat Enterprise Linux 8	python36:3.6/python36	Fix deferred
Red Hat Enterprise Linux 8	python39-devel:3.9/python39	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-791

https://bugzilla.redhat.com/show_bug.cgi?id=2448168cpython: Incomplete control character validation in http.cookies

EPSS

Процентиль: 28%

0.00101

Низкий

5.4 Medium

CVSS3

Связанные уязвимости

CVE-2026-3644

ubuntu

10 дней назад

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().