CVE-2026-3644

Description

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

How to fix CVE-2026-3644

To remediate CVE-2026-3644, upgrade the affected package to a fixed version below.

• —upgrade to 3.14.5-r0 or later
• —upgrade to 3.15.0 or later
• —upgrade to 3.15.0 or later
• —no fix listed
• —upgrade to 3.13.5-2+deb13u2 or later
• —upgrade to 3.14.3-4 or later
• —upgrade to 3.9.2-1+deb11u7 or later

Is CVE-2026-3644 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 3.14.5-r0
• from 0, < 3.15.0
• from 0, < 3.15.0
• from 0
• from 0, < 3.13.5-2+deb13u2
• from 0, < 3.14.3-4
• from 0, < 3.9.2-1+deb11u7

CVSS scores

References (9)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-3644
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-3644
• WEBgithub.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4
• WEBgithub.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd