Lucene search
K

80 matches found

OSV
OSV
added 2026/06/25 7:40 a.m.9 views

BIT-PYTHON-2026-6019 BaseCookie.js_output() does not neutralize embedded characters

http.cookies.Morsel.jsoutput returns an inline snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value...

6.1CVSS5.2AI score0.00229EPSS
Exploits1References7
RedHat Linux
RedHat Linux
added 2026/06/24 5:8 a.m.5 views

python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module

A flaw was found in Python's http.cookies module. The Morsel.jsoutput function, responsible for generating JavaScript output for cookies, does not properly neutralize the HTML sequence. This oversight could allow a remote attacker to inject malicious script into a web page, potentially leading to...

6.1CVSS6.4AI score0.00229EPSS
Exploits1References8
Amazon
Amazon
added 2026/06/08 12:0 a.m.12 views

Medium: python3.13

Issue Overview: http.cookies.Morsel.jsoutput returns an inline snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie valu...

6.1CVSS5.4AI score0.00229EPSS
Exploits1
Amazon
Amazon
added 2026/06/08 12:0 a.m.13 views

Medium: python3.14

Issue Overview: The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other...

9.8CVSS5.4AI score0.0079EPSS
Exploits1
Tenable Nessus
Tenable Nessus
added 2026/06/08 12:0 a.m.10 views

Amazon Linux 2023 : python3.12, python3.12-devel, python3.12-idle (ALAS2023-2026-1821)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1821 advisory. The import hook in CPython that handles legacy .pyc files SourcelessFileLoader is incorrectly handled in FileLoader a base class and so does not use io.opencode to read the .pyc files. sys.aud...

6.1CVSS5.5AI score0.00229EPSS
Exploits1References6
Tenable Nessus
Tenable Nessus
added 2026/05/28 12:0 a.m.13 views

RockyLinux 9 : python3.12 (RLSA-2026:19177)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19177 advisory. expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing CVE-2025-59375...

9.1CVSS7.2AI score0.01279EPSS
Exploits1References25
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.11 views

Astra Linux – Vulnerability in Python 3.11

When using http.cookies.Morsel, user-controlled cookie values and parameters may allow the injection of HTTP headers into messages. The patch rejects all control characters within cookie names, values, and parameters...

6CVSS7AI score0.00401EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/05/19 6:30 p.m.13 views

cpython: Incomplete control character validation in http.cookies

A control character validation flaw has been discovered in the Python http.cookie module. The Morsel.update, |= operator, and unpickling paths were not patched to resolve CVE-2026-0672, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output...

7.5CVSS7.2AI score0.00419EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2026/05/19 6:28 p.m.20 views

cpython: Incomplete control character validation in http.cookies

A control character validation flaw has been discovered in the Python http.cookie module. The Morsel.update, |= operator, and unpickling paths were not patched to resolve CVE-2026-0672, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output...

7.5CVSS7.2AI score0.00419EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2026/05/19 6:28 p.m.21 views

cpython: Header injection in http.cookies.Morsel in Python

An injection flaw has been discovered in Python. When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS7.2AI score0.00401EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2026/05/19 1:35 p.m.13 views

cpython: Incomplete control character validation in http.cookies

A control character validation flaw has been discovered in the Python http.cookie module. The Morsel.update, |= operator, and unpickling paths were not patched to resolve CVE-2026-0672, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output...

7.5CVSS7.2AI score0.00419EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2026/05/19 1:35 p.m.13 views

cpython: Header injection in http.cookies.Morsel in Python

An injection flaw has been discovered in Python. When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS7.2AI score0.00401EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2026/05/19 1:33 p.m.18 views

cpython: Incomplete control character validation in http.cookies

A control character validation flaw has been discovered in the Python http.cookie module. The Morsel.update, |= operator, and unpickling paths were not patched to resolve CVE-2026-0672, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output...

7.5CVSS7.2AI score0.00419EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2026/05/19 12:0 a.m.15 views

RHEL 10 : python3.12 (RHSA-2026:19064)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:19064 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

9.1CVSS7.2AI score0.01279EPSS
Exploits1References26
Debian
Debian
added 2026/05/15 6:12 a.m.18 views

[SECURITY] [DLA 4583-1] python3.9 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-4583-1 [email protected] https://www.debian.org/lts/security/ Arnaud Rebillout May 15, 2026 https://wiki.debian.org/LTS -...

7.5CVSS6.8AI score0.00621EPSS
Exploits0
OSV
OSV
added 2026/05/09 12:33 p.m.6 views

OESA-2026-2270 python3 security update

Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C...

6.1CVSS5.8AI score0.00229EPSS
Exploits1References2
OSV
OSV
added 2026/05/09 12:33 p.m.7 views

OESA-2026-2269 python3 security update

Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C...

6.1CVSS5.8AI score0.00229EPSS
Exploits1References2
OSV
OSV
added 2026/05/07 4:59 a.m.13 views

CLSA-2026-1778129970 python3.11: Fix of 7 CVEs

CVE-2026-0672: reject control characters in http.cookies cookie names, values, and parameters to prevent header injection - CVE-2026-3644: reject control characters in Morsel.update, |= operator, and unpickling paths missed by CVE-2026-0672; add output validation to BaseCookie.jsoutput -...

7.5CVSS6.4AI score0.00575EPSS
Exploits0References1
Redos
Redos
added 2026/05/05 12:0 a.m.7 views

ROS-20260505-73-0052

A vulnerability in the http.cookies.Morsel component of the Python programming language interpreter is related to the failure to take measures to neutralize CRLF sequences. Exploitation of the vulnerability may allow a remote attacker to affect the availability of protected information...

6CVSS7.3AI score0.00401EPSS
Exploits0
Redos
Redos
added 2026/05/05 12:0 a.m.8 views

ROS-20260505-73-0053

A vulnerability in the http.cookies.Morsel component of the Python programming language interpreter is related to the failure to take measures to neutralize CRLF sequences. Exploitation of the vulnerability could allow a remote attacker to affect the availability of protected information...

6CVSS7.3AI score0.00401EPSS
Exploits0
Rows per page
Query Builder