CVE-2026-1299

{"id": "CVE-2026-1299", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cna@python.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-23T17:16:12.977", "references": [{"url": "https://cve.org/CVERecord?id=CVE-2024-6923", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/issues/144125", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/pull/144126", "source": "cna@python.org"}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/", "source": "cna@python.org"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cna@python.org", "description": [{"lang": "en", "value": "CWE-93"}]}], "descriptions": [{"lang": "en", "value": "The \nemail module, specifically the \"BytesGenerator\" class, didn\u2019t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\"."}, {"lang": "es", "value": "El m\u00f3dulo de correo electr\u00f3nico, espec\u00edficamente la clase 'BytesGenerator', no escapaba correctamente los saltos de l\u00ednea para los encabezados de correo electr\u00f3nico al serializar un mensaje de correo electr\u00f3nico, lo que permit\u00eda la inyecci\u00f3n de encabezados cuando se serializa un correo electr\u00f3nico. Esto solo es aplicable si se utiliza 'LiteralHeader' para escribir encabezados que no respetan las reglas de plegado de correo electr\u00f3nico; el nuevo comportamiento rechazar\u00e1 los encabezados plegados incorrectamente en 'BytesGenerator'."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cna@python.org"}