This Red Hat security advisory addresses four vulnerabilities in python3.11 related to injection attacks: CVE-2026-0865 (header newline injection in wsgiref.headers.Headers), CVE-2025-15366 (IMAP command injection via user-controlled commands), CVE-2025-15367 (POP3 command injection via user-controlled commands), and CVE-2026-1299 (email header injection due to unquoted newlines). These vulnerabilities could allow attackers to inject malicious commands or headers when processing certain protocols or headers in Python applications. The advisory covers Red Hat Enterprise Linux 9.4 Extended Update Support and related products. Updated python3.11 packages have been released to fix these issues.

The vulnerabilities could enable injection attacks through Python's handling of IMAP, POP3, and HTTP headers, potentially allowing attackers to manipulate commands or headers in affected applications. Red Hat rates the overall security impact as moderate. There are no reports of known exploits in the wild at this time.

Red Hat has released updated python3.11 packages for Red Hat Enterprise Linux 9.4 Extended Update Support and related products that address these vulnerabilities. Users should apply the provided security update as detailed in the Red Hat advisory RHSA-2026:6253 (https://access.redhat.com/errata/RHSA-2026:6253) to remediate these issues. Patch status is confirmed as available via the vendor advisory.