6

CVE-2026-1299

email BytesGenerator header injection due to unquoted newlines

The 
email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when 
serializing an email message allowing for header injection when an email
 is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPython Software Foundation
Produkt CPython
Default Statusunaffected
Version 0
Version < 3.10.20
Status affected
Version 3.11.0
Version < 3.11.15
Status affected
Version 3.12.0
Version < 3.12.13
Status affected
Version 3.13.0
Version < 3.13.12
Status affected
Version 3.14.0
Version < 3.14.3
Status affected
Version 3.15.0a1
Version < 3.15.0a6
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.421
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cna@python.org 6 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

https://github.com/python/cpython/pull/144126
https://github.com/python/cpython/issues/144125
https://cve.org/CVERecord?id=CVE-2024-6923
https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/
https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413
https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8
https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9
https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4
https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36
https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a