High severity7.5NVD Advisory· Published Mar 16, 2026· Updated Jun 4, 2026
CVE-2026-3644
CVE-2026-3644
Description
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
149cpe:2.3:a:python:python:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*range: <3.13.13
- cpe:2.3:a:python:python:3.15.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.15.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.15.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.15.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.15.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.15.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.15.0:alpha7:*:*:*:*:*:*
- (no CPE)
- (no CPE)range: 0
- osv-coords139 versionspkg:apk/chainguard/python-3.13pkg:apk/chainguard/python-3.14pkg:apk/wolfi/python-3.13pkg:apk/wolfi/python-3.14pkg:bitnami/pythonpkg:bitnami/python-minpkg:rpm/almalinux/python3pkg:rpm/almalinux/python3.12pkg:rpm/almalinux/python3.12-debugpkg:rpm/almalinux/python3.12-develpkg:rpm/almalinux/python3.12-idlepkg:rpm/almalinux/python3.12-libspkg:rpm/almalinux/python3.12-rpm-macrospkg:rpm/almalinux/python3.12-testpkg:rpm/almalinux/python3.12-tkinterpkg:rpm/almalinux/python3.14pkg:rpm/almalinux/python3.14-debugpkg:rpm/almalinux/python3.14-develpkg:rpm/almalinux/python3.14-freethreadingpkg:rpm/almalinux/python3.14-freethreading-debugpkg:rpm/almalinux/python3.14-freethreading-develpkg:rpm/almalinux/python3.14-freethreading-idlepkg:rpm/almalinux/python3.14-freethreading-libspkg:rpm/almalinux/python3.14-freethreading-testpkg:rpm/almalinux/python3.14-freethreading-tkinterpkg:rpm/almalinux/python3.14-idlepkg:rpm/almalinux/python3.14-libspkg:rpm/almalinux/python3.14-testpkg:rpm/almalinux/python3.14-tkinterpkg:rpm/almalinux/python3-debugpkg:rpm/almalinux/python3-develpkg:rpm/almalinux/python3-idlepkg:rpm/almalinux/python3-libspkg:rpm/almalinux/python3-testpkg:rpm/almalinux/python3-tkinterpkg:rpm/almalinux/python-unversioned-commandpkg:rpm/opensuse/python310-core&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python310&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python310&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python310-documentation&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python311-core&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python311&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python311&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python311-documentation&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python312-core&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python312&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python312&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python312-documentation&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python313-core&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python313&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python313&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python313-documentation&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python313-nogil&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python313-nogil-nogil-core&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python314&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python315&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python39-core&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python39&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python39-documentation&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-base&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-doc&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/python310-core&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python310-core&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python310-core&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python310-core&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python310&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python310&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python310&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python310&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/python311-core&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/python311&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/python311&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/python311-documentation&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python311-documentation&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python311-documentation&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/python311-documentation&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/python311-documentation&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python311-documentation&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/python311-documentation&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python311-documentation&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/python312-core&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/python312-core&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/python312&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/python312&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/python313-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python313-core&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python313-core&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/python313-core&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/python313&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python313&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python313&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/python313&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/python313-documentation&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python313-documentation&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/python36-core&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/python36-core&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/python36&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/python36&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/python39-core&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/python39-core&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/python39&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/python39&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/python3-base&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/python3&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/python-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/python-base&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/python-base&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/python&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/python&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/python-doc&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/python-doc&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
< 3.13.12-r7+ 138 more
- (no CPE)range: < 3.13.12-r7
- (no CPE)range: < 3.14.3-r6
- (no CPE)range: < 3.13.12-r7
- (no CPE)range: < 3.14.3-r6
- (no CPE)range: < 3.15.0
- (no CPE)range: < 3.15.0
- (no CPE)range: < 3.12.13-2.el10_2
- (no CPE)range: < 3.12.13-2.el8_10
- (no CPE)range: < 3.12.13-2.el8_10
- (no CPE)range: < 3.12.13-2.el8_10
- (no CPE)range: < 3.12.13-2.el8_10
- (no CPE)range: < 3.12.13-2.el8_10
- (no CPE)range: < 3.12.13-2.el8_10
- (no CPE)range: < 3.12.13-2.el8_10
- (no CPE)range: < 3.12.13-2.el8_10
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.14.4-2.el10_2
- (no CPE)range: < 3.12.13-2.el10_2
- (no CPE)range: < 3.12.13-2.el10_2
- (no CPE)range: < 3.12.13-2.el10_2
- (no CPE)range: < 3.12.13-2.el10_2
- (no CPE)range: < 3.12.13-2.el10_2
- (no CPE)range: < 3.12.13-2.el10_2
- (no CPE)range: < 3.12.13-2.el10_2
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.10.20-3.1
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.11.15-150600.3.53.1
- (no CPE)range: < 3.11.15-150600.3.53.1
- (no CPE)range: < 3.11.15-4.1
- (no CPE)range: < 3.11.15-150600.3.53.1
- (no CPE)range: < 3.12.13-150600.3.53.1
- (no CPE)range: < 3.12.13-150600.3.53.1
- (no CPE)range: < 3.12.13-4.1
- (no CPE)range: < 3.12.13-150600.3.53.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.12-3.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.14.3-4.1
- (no CPE)range: < 3.15.0~a7-3.1
- (no CPE)range: < 3.9.25-150300.4.99.1
- (no CPE)range: < 3.9.25-150300.4.99.1
- (no CPE)range: < 3.9.25-150300.4.99.1
- (no CPE)range: < 2.7.18-150000.111.1
- (no CPE)range: < 2.7.18-150000.111.1
- (no CPE)range: < 2.7.18-150000.111.1
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.10.20-150400.4.107.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150600.3.53.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150600.3.53.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150600.3.53.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150600.3.53.1
- (no CPE)range: < 3.11.15-slfo.1.1_3.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150600.3.53.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150600.3.53.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150600.3.53.1
- (no CPE)range: < 3.11.15-slfo.1.1_3.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.11.15-150400.9.85.1
- (no CPE)range: < 3.12.13-150600.3.53.1
- (no CPE)range: < 3.12.13-150600.3.53.1
- (no CPE)range: < 3.12.13-150600.3.53.1
- (no CPE)range: < 3.12.13-150600.3.53.1
- (no CPE)range: < 3.13.13-150700.4.45.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.13-150700.4.45.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.13.13-160000.1.1
- (no CPE)range: < 3.6.15-108.1
- (no CPE)range: < 3.6.15-108.1
- (no CPE)range: < 3.6.15-108.1
- (no CPE)range: < 3.6.15-108.1
- (no CPE)range: < 3.9.25-150300.4.99.1
- (no CPE)range: < 3.9.25-150300.4.99.1
- (no CPE)range: < 3.9.25-150300.4.99.1
- (no CPE)range: < 3.9.25-150300.4.99.1
- (no CPE)range: < 3.4.10-25.180.1
- (no CPE)range: < 3.4.10-25.180.1
- (no CPE)range: < 3.4.10-25.180.1
- (no CPE)range: < 3.4.10-25.180.1
- (no CPE)range: < 2.7.18-150000.111.1
- (no CPE)range: < 2.7.18-33.74.1
- (no CPE)range: < 2.7.18-33.74.1
- (no CPE)range: < 2.7.18-150000.111.1
- (no CPE)range: < 2.7.18-33.74.1
- (no CPE)range: < 2.7.18-33.74.1
- (no CPE)range: < 2.7.18-33.74.1
- (no CPE)range: < 2.7.18-33.74.1
Patches
Vulnerability mechanics
References
6- github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4nvdPatch
- github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590ddnvdPatch
- github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979ddnvdPatch
- github.com/python/cpython/pull/145600nvdPatch
- mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/nvdThird Party Advisory
- github.com/python/cpython/issues/145599nvdIssue Tracking
News mentions
0No linked articles in our index yet.