Unrated severityNVD Advisory· Published Jun 23, 2026· Updated Jun 23, 2026

Configuration Injection via Carriage Return (\r) in write() method

CVE-2026-0864

Description

When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Python (programming language)/Pythonllm-create

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851fmitrepatch
github.com/python/cpython/pull/151559mitrepatch
mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/mitrevendor-advisory
github.com/python/cpython/issues/143927mitreissue-tracking

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000