PT-2026-3671 · Python+4 · Http.Cookies.Morsel+4

Seth Larson

·

Published

2026-01-16

·

Updated

2026-06-09

·

CVE-2026-0672

CVSS v2.0

7.5

High

VectorAV:N/AC:L/Au:S/C:N/I:P/A:C
Name of the Vulnerable Software and Affected Versions http.cookies.Morsel (affected versions not specified)
Description User-controlled cookie values and parameters within http.cookies.Morsel can potentially allow the injection of HTTP headers into messages. A patch has been implemented to address this by rejecting all control characters within cookie names, values, and parameters.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-93

Related Identifiers

ALSA-2026:10950
ALSA-2026:19064
ALSA-2026:19177
AZL-75026
AZL-75044
BDU:2026-05125
BIT-LIBPYTHON-2026-0672
BIT-PYTHON-2026-0672
BIT-PYTHON-MIN-2026-0672
CVE-2026-0672
ECHO-7075-DDFD-72A9
OESA-2026-1356
OESA-2026-1461
OESA-2026-1462
OESA-2026-1463
OPENSUSE-SU-2026:10126-1
OPENSUSE-SU-2026:10200-1
OPENSUSE-SU-2026:10206-1
OPENSUSE-SU-2026:10221-1
OPENSUSE-SU-2026:10222-1
OPENSUSE-SU-2026:10223-1
OPENSUSE-SU-2026:10990-1
OPENSUSE-SU-2026:20254-1
PSF-2026-5
RHSA-2026:10950
RHSA-2026:19064
RHSA-2026:19177
SUSE-SU-2026:0590-1
SUSE-SU-2026:0612-1
SUSE-SU-2026:0613-1
SUSE-SU-2026:0642-1
SUSE-SU-2026:0643-1
SUSE-SU-2026:0644-1
SUSE-SU-2026:0645-1
SUSE-SU-2026:0663-1
SUSE-SU-2026:0664-1
SUSE-SU-2026:0693-1
SUSE-SU-2026:0767-1
SUSE-SU-2026:1062-1
SUSE-SU-2026:1107-1
SUSE-SU-2026:1117-1
SUSE-SU-2026:1349-1
SUSE-SU-2026:20543-1
SUSE-SU-2026:20581-1
SUSE-SU-2026:20665-1
SUSE-SU-2026:20710-1
SUSE-SU-2026:20768-1
SUSE-SU-2026:20796-1
USN-8018-1
USN-8018-3

Affected Products

Linuxmint
Red Os
Rocky Linux
Ubuntu
Http.Cookies.Morsel