Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN060
_____________________________________________________________________

DATE                : 21/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CPython.

=====================================================================
https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/
https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/
https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/
https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/
https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/
https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/
_____________________________________________________________________


[CVE-2026-0672] Header injection in http.cookies.Morsel


Seth Larson
20 janvier 2026 13:57

There is a MEDIUM severity vulnerability affecting CPython.

When using http.cookies.Morsel, user-controlled cookie values and
parameters can allow injecting HTTP headers into messages. Patch
rejects all control characters within cookie names, values, and
parameters.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2026-0672
    https://github.com/python/cpython/pull/143920

_____________________________________________________________________


[CVE-2025-15367] POP3 command injection in user-controlled commands


Seth Larson
20 janvier 2026 16:48

There is a MEDIUM severity vulnerability affecting CPython.

The poplib module, when passed a user-controlled command, can have
additional commands injected using newlines. Mitigation rejects
commands containing control characters.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2025-15367
    https://github.com/python/cpython/pull/143924

_____________________________________________________________________


[CVE-2025-15366] IMAP command injection in user-controlled commands


Seth Larson
20 janvier 2026 21:41

There is a MEDIUM severity vulnerability affecting CPython.

The imaplib module, when passed a user-controlled command, can have
additional commands injected using newlines. Mitigation rejects
commands containing control characters.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2025-15366
    https://github.com/python/cpython/pull/143922


_____________________________________________________________________


[CVE-2025-15282] Header injection via newlines in data URL mediatype

Seth Larson
20 janvier 2026 15:35

There is a MEDIUM severity vulnerability affecting CPython.

User-controlled data URLs parsed by urllib.request.DataHandler allow
injecting headers through newlines in the data URL mediatype.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2025-15282
    https://github.com/python/cpython/pull/143926

_____________________________________________________________________


Title: [CVE-2026-0865] wsgiref.headers.Headers allows header newline
injection


Seth Larson
20 janvier 2026 15:27

There is a MEDIUM severity vulnerability affecting CPython.

User-controlled header names and values containing newlines can allow
injecting HTTP headers.

Please see the linked CVE ID for the latest information on affected
versions:

https://www.cve.org/CVERecord?id=CVE-2026-0865
https://github.com/python/cpython/pull/143917

_____________________________________________________________________


[CVE-2025-11468] Folding email comments of unfoldable characters
doesn't preserve parenthesis


Seth Larson
20 janvier 2026 13:10

There is a MEDIUM severity vulnerability affecting CPython.

When folding a long comment in an email header containing exclusively
unfoldable characters, the parenthesis would not be preserved. This could
be used for injecting headers into email messages where addresses are
user-controlled and not sanitized.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2025-11468
    https://github.com/python/cpython/pull/143936



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================