CVE-2026-3644

ADVISORY - nist

Summary

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-116⁠

Improper Encoding or Escaping of Output

CWE-20⁠

Improper Input Validation

Impacted images

Advisories

NIST

CREATED

7 hours ago

UPDATED

6 hours ago

ADVISORY IDCVE-2026-3644⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-116⁠CWE-20⁠

CVSS SCORE

6medium

Debian

CREATED

2 hours ago

UPDATED

2 hours ago

ADVISORY IDCVE-2026-3644⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY