VYPR
High severity7.5NVD Advisory· Published Mar 16, 2026· Updated Jun 4, 2026

CVE-2026-3644

CVE-2026-3644

Description

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

149

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.