There is a MEDIUM severity vulnerability affecting CPython.

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Please see the linked CVE ID for the latest information on affected versions:

• https://www.cve.org/CVERecord?id=CVE-2026-3644
• https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d4...

-- Best regards, Stan Ulbrych.