GLVD: CVE Details

Garden Linux Vulnerability Database

CVE Description

"When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters."

Metadata

Vulnerability Status	Published Date	Modified Date	Ingested Date
Awaiting Analysis	2026-01-20T22:15:52.680	2026-01-26T15:16:07.033	2026-01-26 15:16:07.033+00

CVSS Scores

CVSS Version	Base Score	DEB CVSS Severity	Vector String
4.0	6.0		CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Linux Images

Distro	Version	Source Package	Package Version	Is Vulnerable	Is fixed in Version
debian_linux	13	pypy3	7.3.19+dfsg-2	true
debian_linux	13	python3.13	3.13.5-2	true
debian_linux	12	pypy3	7.3.11+dfsg-2+deb12u3	true
gardenlinux	kvm-cilium-k3s-1862.0-6be879c6	python3.13	3.13.3-2gl0	true
gardenlinux	kvm-gardener-1862.0-6be879c6	python3.13	3.13.3-2gl0	true
gardenlinux	pt-gardener-nvgpu-1862.0-6be879c6	python3.13	3.13.3-2gl0	true
gardenlinux	metal-cilium-k3s-osc-ucode-vhost-1862.0-6be879c6	python3.13	3.13.3-2gl0	true
gardenlinux	metal-cilium-k3s-osc-ucode-1862.0-6be879c6	python3.13	3.13.3-2gl0	true
gardenlinux	metal-cilium-k3s-osc-router-ucode-1862.0-6be879c6	python3.13	3.13.3-2gl0	true
debian_linux	14	pypy3	7.3.20+dfsg-4	true
debian_linux	14	python3.13	3.13.11-1	true
debian_linux	14	python3.14	3.14.2-1	true