Medium severityOSV Advisory· Published Jan 23, 2026· Updated Apr 15, 2026

CVE-2026-1299

Description

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".

Affected products

Python (programming language)/CpythonOSV
Range: v0.9.8, v0.9.9, v1.0.1, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cve.org/CVERecordnvd
github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413nvd
github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8nvd
github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9nvd
github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4nvd
github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36nvd
github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831anvd
github.com/python/cpython/issues/144125nvd
github.com/python/cpython/pull/144126nvd
mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000