This vulnerability in CPython involves incomplete input validation for control characters in the http.cookies.Morsel class. While the original fix for CVE-2026-0672 rejected control characters, the Morsel.update() method, the |= operator, and unpickling mechanisms were not updated accordingly, allowing control characters to bypass validation. Furthermore, BaseCookie.js_output() did not implement the same output validation as BaseCookie.output(), potentially enabling malformed cookie data to be processed or output without proper sanitization. The affected versions include CPython 0 through 3.15.0a1.

The vulnerability allows control characters to bypass input validation in cookie handling within CPython, which could lead to unexpected behavior or security issues related to cookie processing. The CVSS 4.0 score of 6 (medium severity) indicates a moderate impact with network attack vector, low attack complexity, and partial required privileges. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the Python Software Foundation advisory for current remediation guidance. No official patch links are provided in the current data. Users should monitor the vendor advisory for updates and apply any official fixes once available. Until then, cautious handling of cookie data and avoiding untrusted input in affected methods is advisable.