CVE-2026-3644

Summary

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Affected Software

VendorProductVersion RangeStatus
Python Software FoundationCPython0 < 3.13.13affected
Python Software FoundationCPython3.14.0 < 3.14.4affected
Python Software FoundationCPython3.15.0a1 < 3.15.0a8affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References