CVE-2026-3644 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were…
Medium CVSS: 6.0

CVE-2026-3644

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
Vendor
-
Product
-
CWE
CWE-20
Yayın Tarihi
2026-03-16 18:16:09
Güncelleme
2026-03-17 14:20:01
Source Identifier
cna@python.org
KEV Date Added
-

Kategoriler

CWE-20 MEDIUM 2026

Referanslar

https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4 https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd https://github.com/python/cpython/issues/145599 https://github.com/python/cpython/pull/145600 https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/