CVE-2026-0865

Description

User-controlled header names and values containing newlines can allow injecting HTTP headers.

How to fix CVE-2026-0865

To remediate CVE-2026-0865, upgrade the affected package to a fixed version below.

• Bitnami/libpython—upgrade to 3.10.20 or later
• Bitnami/python—upgrade to 3.10.20 or later
• Bitnami/python-min—upgrade to 3.10.20 or later
• Debian/jython—no fix listed
• —no fix listed
• —no fix listed
• —upgrade to 3.11.2-6+deb12u7 or later
• —upgrade to 3.13.5-2+deb13u1 or later
• —upgrade to 3.14.3-1 or later
• —upgrade to 3.9.2-1+deb11u5 or later

Is CVE-2026-0865 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (10)

• from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
• from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
• from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
• from 0
• from 0
• from 0
• from 0, < 3.11.2-6+deb12u7
• from 0, < 3.13.5-2+deb13u1
• from 0, < 3.14.3-1
• from 0, < 3.9.2-1+deb11u5

CVSS scores

References (17)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-0865
• WEBgithub.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58
• WEBgithub.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510
• WEBgithub.com/python/cpython/commit/286e3ac39984fe85a17f4ab39c64d382137aae5f