4.1
CVE-2026-0864
- EPSS 0.13%
- Veröffentlicht 23.06.2026 18:17:41
- Zuletzt bearbeitet 25.06.2026 19:51:26
- Quelle cna@python.org
- CVE-Watchlists
- Unerledigt
Configuration Injection via Carriage Return (\r) in write() method
When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPython Software Foundation
≫
Produkt
CPython
Default Statusunaffected
Version
0
Version <
3.15.0
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.027 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cna@python.org | 4.1 | 0 | 0 |
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
https://github.com/python/cpython/pull/151559
https://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f
https://github.com/python/cpython/issues/143927
https://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/
https://github.com/python/cpython/commit/0adb386f6e68eb2e73d32e19f235d012df009528
https://github.com/python/cpython/commit/71f2e02a52d47417a6fd69f456346cd8aa7aca98
https://github.com/python/cpython/commit/aaf850fd333cd89e9aada03d92aaa788a6cb1bb8