CVE-2026-3644

ADVISORY - nist

Summary

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-116⁠

Improper Encoding or Escaping of Output

CWE-20⁠

Improper Input Validation

ADVISORY - redhat

CWE-791⁠

Incomplete Filtering of Special Elements

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.