Fluid Attacks Database

Description

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python3.11	=3.11.2-6 \|\| =3.11.2-6+deb12u1 \|\| =3.11.2-6+deb12u2 \|\| =3.11.2-6+deb12u3 \|\| =3.11.2-6+deb12u4 \|\| =3.11.2-6+deb12u5 \|\| =3.11.2-6+deb12u6 \|\| =3.11.2-6+deb12u7 \|\| =3.11.2-6+deb12u8 \|\| =3.11.3-1 \|\| =3.11.3-2 \|\| =3.11.4-1 \|\| =3.11.5-1 \|\| =3.11.5-2 \|\| =3.11.5-3 \|\| =3.11.6-1 \|\| =3.11.6-2 \|\| =3.11.6-3 \|\| =3.11.6-3~hurd.2 \|\| =3.11.7-1 \|\| =3.11.7-2 \|\| =3.11.8-1 \|\| =3.11.8-1.1~exp1 \|\| =3.11.8-1.1~exp2 \|\| =3.11.8-2 \|\| =3.11.8-3 \|\| =3.11.8-3+hurd.1 \|\| =3.11.9-1	-
debian 13	python3.13	=3.13.5-2 \|\| =3.13.5-2+deb13u1 \|\| >=0 <3.13.5-2+deb13u2	3.13.5-2+deb13u2
debian 11	python3.9	=3.9.2-1 \|\| =3.9.2-1+deb11u1 \|\| =3.9.2-1+deb11u2 \|\| =3.9.2-1+deb11u3 \|\| =3.9.2-1+deb11u4 \|\| =3.9.2-1+deb11u5 \|\| =3.9.2-1+deb11u6 \|\| >=0 <3.9.2-1+deb11u7	3.9.2-1+deb11u7
rpm rhel10	python3.14	<0:3.14.4-2.el10_2	0:3.14.4-2.el10_2
rpm rhel9	python3.12	<0:3.12.13-2.el9_8	0:3.12.13-2.el9_8
rpm rhel7	python3	-	-
rpm rhel8	python3.12	<0:3.12.13-2.el8_10	0:3.12.13-2.el8_10
rpm rhel10	python3.12	<0:3.12.13-2.el10_2	0:3.12.13-2.el10_2
rpm rhel7	python	-	-
debian 14	python3.14	=3.14.0-1 \|\| =3.14.0-2 \|\| =3.14.0-3 \|\| =3.14.0-4 \|\| =3.14.0-5 \|\| =3.14.0~a7-1 \|\| =3.14.0~b1-1 \|\| =3.14.0~b2-1 \|\| =3.14.0~b3-1 \|\| =3.14.0~b4-1 \|\| =3.14.0~rc1-1 \|\| =3.14.0~rc2-1 \|\| =3.14.0~rc3-1 \|\| =3.14.2-1 \|\| =3.14.3-1 \|\| =3.14.3-2 \|\| =3.14.3-3 \|\| >=0 <3.14.3-4	3.14.3-4

1-10 of 19

Aliases

1. CVE-2026-36442. NVD-2026-36443. OSV-DEBIAN-2026-36444. OSV-2026-36445. SECURITY-TRACKER-CVE-2026-3644