PT-2026-25789 · Python+2 · Http.Cookies+2

Seth Larson

+3

·

Publicado

2026-01-01

·

Atualizado

2026-05-19

·

CVE-2026-3644

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions http.cookies (affected versions not specified)
Description An incomplete fix for a previous issue related to control character validation in http.cookies.Morsel allows control characters to bypass input validation. The fix did not fully address the problem, leaving the Morsel.update(), |= operator, and unpickling paths vulnerable. Additionally, the BaseCookie.js output() function lacks the output validation present in BaseCookie.output().
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

RCE

Improper Encoding or Escaping of Output

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20CWE-116

Identificadores relacionados

ALSA-2026:10950
ALSA-2026:19019
ALSA-2026:19064
ALSA-2026:19176
ALSA-2026:19177
BDU:2026-04601
BIT-LIBPYTHON-2026-3644
BIT-PYTHON-2026-3644
BIT-PYTHON-MIN-2026-3644
CVE-2026-3644
ECHO-6A47-D40A-2C76
OESA-2026-1899
OESA-2026-1900
OESA-2026-1901
OESA-2026-1902
OPENSUSE-SU-2026:10469-1
OPENSUSE-SU-2026:10477-1
OPENSUSE-SU-2026:10478-1
OPENSUSE-SU-2026:10479-1
OPENSUSE-SU-2026:10480-1
OPENSUSE-SU-2026:10481-1
OPENSUSE-SU-2026:20517-1
PSF-2026-11
RHSA-2026:10950
RHSA-2026:19064
RHSA-2026:19177
RHSA-2026:7443
RHSA-2026:7661
RHSA-2026:8822
RHSA-2026:8824
SUSE-SU-2026:1206-1
SUSE-SU-2026:1292-1
SUSE-SU-2026:1296-1
SUSE-SU-2026:1345-1
SUSE-SU-2026:1349-1
SUSE-SU-2026:1354-1
SUSE-SU-2026:1376-1
SUSE-SU-2026:1385-1
SUSE-SU-2026:1417-1
SUSE-SU-2026:1530-1
SUSE-SU-2026:1715-1
SUSE-SU-2026:21104-1
SUSE-SU-2026:21178-1
SUSE-SU-2026:21254-1

Produtos afetados

Red Os
Rocky Linux
Http.Cookies