This Red Hat security advisory addresses four vulnerabilities in python3.12 related to injection attacks: CVE-2026-0865 (header newline injection in wsgiref.headers.Headers), CVE-2025-15366 (IMAP command injection via user-controlled commands), CVE-2025-15367 (POP3 command injection via user-controlled commands), and CVE-2026-1299 (email header injection due to unquoted newlines). These issues could allow an attacker to inject malicious commands or headers when interacting with Python's email, IMAP, POP3, or wsgiref modules. The advisory provides updated python3.12 packages for Red Hat Enterprise Linux 10 and related products to fix these vulnerabilities. The update is classified as moderate severity by Red Hat Product Security. No CVSS scores are provided in the advisory, and no exploits in the wild are currently known.

The vulnerabilities allow injection attacks through Python modules handling email headers and IMAP/POP3 commands, potentially enabling attackers to manipulate headers or commands in user-controlled inputs. This could lead to security issues such as command injection or header injection, impacting applications relying on these Python modules. The overall security impact is rated as moderate by Red Hat. There are no reports of active exploitation in the wild.

Red Hat has released updated python3.12 packages for Red Hat Enterprise Linux 10 and related products that address these vulnerabilities. Users should apply the security update as described in the Red Hat advisory RHSA-2026:4713 and the referenced article https://access.redhat.com/articles/11258 to remediate these issues. Patch status is confirmed as fixed by the vendor. No additional mitigation steps are indicated beyond applying the official update.