Python · Http.Cookies · CVE-2026-3644
**Name of the Vulnerable Software and Affected Versions**
http.cookies (affected versions not specified)
**Description**
An incomplete fix for a previous issue related to control character validation in `http.cookies.Morsel` allows control characters to bypass input validation. The fix did not fully address the problem, leaving the `Morsel.update()`, `|= operator`, and unpickling paths vulnerable. Additionally, the `BaseCookie.js output()` function lacks the output validation present in `BaseCookie.output()`.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.