PT-2026-37286 · Pypi · Microdot

Luantq0

Published

2026-05-05

Updated

2026-05-11

CVE-2026-42874

CVSS v3.1

3.7

Low

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions microdot versions prior to 2.6.1

Description The Response.set cookie() function does not sanitize string arguments, failing to detect the r sequence. This allows for HTTP response splitting and header injection attacks. For this to be exploited, an attacker must first compromise the client, such as through a Cross-Site Scripting (XSS) attack, to send malicious data that the server then stores in a cookie for the victim. This type of attack is limited to the specific infiltrated client.

Recommendations Upgrade to version 2.6.1. As a temporary workaround, do not pass untrusted data to the Response.set cookie() function.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-113

Related Identifiers

CVE-2026-42874

GHSA-7WC8-WVC4-M498

Affected Products

Microdot

PT-2026-37286 · Pypi · Microdot

CVE-2026-42874

Weakness Enumeration

Related Identifiers

Affected Products

References · 7