PT-2026-25789 · Python+2 · Http.Cookies+2

Seth Larson

+3

·

Published

2026-01-01

·

Updated

2026-05-19

·

CVE-2026-3644

CVSS v2.0

7.5

High

VectorAV:N/AC:L/Au:S/C:P/I:C/A:N
Name of the Vulnerable Software and Affected Versions http.cookies (affected versions not specified)
Description An incomplete fix for a previous issue related to control character validation in http.cookies.Morsel allows control characters to bypass input validation. The fix did not fully address the problem, leaving the Morsel.update(), |= operator, and unpickling paths vulnerable. Additionally, the BaseCookie.js output() function lacks the output validation present in BaseCookie.output().
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Improper Encoding or Escaping of Output

RCE

Weakness Enumeration

CWE-116CWE-20

Related Identifiers

ALSA-2026:10950
ALSA-2026:19019
ALSA-2026:19064
ALSA-2026:19176
ALSA-2026:19177
BDU:2026-04601
BIT-LIBPYTHON-2026-3644
BIT-PYTHON-2026-3644
BIT-PYTHON-MIN-2026-3644
CVE-2026-3644
ECHO-6A47-D40A-2C76
OESA-2026-1899
OESA-2026-1900
OESA-2026-1901
OESA-2026-1902
OPENSUSE-SU-2026:10469-1
OPENSUSE-SU-2026:10477-1
OPENSUSE-SU-2026:10478-1
OPENSUSE-SU-2026:10479-1
OPENSUSE-SU-2026:10480-1
OPENSUSE-SU-2026:10481-1
OPENSUSE-SU-2026:20517-1
PSF-2026-11
RHSA-2026:10950
RHSA-2026:19064
RHSA-2026:19177
RHSA-2026:7443
RHSA-2026:7661
RHSA-2026:8822
RHSA-2026:8824
SUSE-SU-2026:1206-1
SUSE-SU-2026:1292-1
SUSE-SU-2026:1296-1
SUSE-SU-2026:1345-1
SUSE-SU-2026:1349-1
SUSE-SU-2026:1354-1
SUSE-SU-2026:1376-1
SUSE-SU-2026:1385-1
SUSE-SU-2026:1417-1
SUSE-SU-2026:1530-1
SUSE-SU-2026:1715-1
SUSE-SU-2026:21104-1
SUSE-SU-2026:21178-1
SUSE-SU-2026:21254-1

Affected Products

Red Os
Rocky Linux
Http.Cookies