Zero Day MonitorZDM

← Back to list

—

CVE-2026-3644PATCHED

python software foundation · cpython

Incomplete control character validation in http.cookies

Description

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Affected Products

Vendor	Product	Versions
python software foundation	cpython	0, 3.14.0, 3.15.0a1

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
amazon	amazon linux	cert_advisory	90%
fedora	fedora linux	cert_advisory	90%
open source	python	cert_advisory	90%

References

Related News (1 articles)

Tier B

BSI Advisories8d ago

[UPDATE] [mittel] CPython: Mehrere Schwachstellen ermöglichen Manipulation von Dateien und DoS

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

3.14.43.15.0a8

PublishedMar 16, 2026

Last enriched9d ago

Trending Score5

Source articles1

Independent1

Info Completeness4/14

Missing: vendor, product, versions, cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34591EXP

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

HIGHCVE-2026-1502

HTTP client proxy tunnel headers not validated for CR/LF

NONECVE-2026-3446

Base64 decoding stops at first padded quad by default

NONECVE-2026-4519EXP

webbrowser.open() allows leading dashes in URLs

NONECVE-2025-13462

tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 16, 2026

Discovered by ZDM

Apr 1, 2026

Patch Available

Apr 7, 2026