Skip to main content

Python configparser CVE-2026-0864

| EUVDEUVD-2026-38554 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-23 PSF GHSA-g345-7jg6-m22p
4.1
CVSS 4.0 · Vendor: PSF
Share

Severity by source

Vendor (PSF) PRIMARY
4.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.0 MEDIUM

Local vector and high complexity reflect the required attack conditions; PR:H and UI:R map from CVSS 4.0 PR:H and UI:P; integrity-only impact with no confidentiality or availability effect.

3.1 AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
4.0 AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (PSF).

CVSS VectorVendor: PSF

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 18:35 vuln.today
Analysis Generated
Jun 23, 2026 - 18:35 vuln.today

DescriptionCVE.org

When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.

AnalysisAI

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via configparser.write() to smuggle arbitrary keys and values into the resulting INI-style configuration file by embedding carriage return (\r) characters. All CPython versions are listed as affected per the NVD CPE wildcard, and any Python application that writes attacker-influenced data to config files via configparser is a candidate target. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker controls application input value
Delivery
Application passes \r-containing string to configparser.write()
Exploit
CR character terminates value line in config file
Execution
Injected key=value pair written as standalone config entry
Persist
Application re-reads config and processes unexpected entries
Impact
Security-relevant setting overridden by injected value

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the attacker controls a string value that a Python application writes to a config file using configparser.write() - for example, through a user-supplied profile field, API request body, or any application input persisted to an INI-style config; (2) the application runs with sufficient privilege for the attacker's data to reach the write path (CVSS PR:H); and (3) the application subsequently re-reads the tampered config file in a security-relevant context. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N) places this at 4.1 Medium. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted profile field - for example, a user-supplied description or comment - containing an embedded \r character followed by a new key-value pair such as \radmin=true. An application that persists this field via configparser.write() writes the injected entry as an apparent standalone configuration key; on the next config file read, the application treats admin=true as a legitimate setting and elevates the attacker's privileges. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - monitor the PSF security announcement at https://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/ for an official tagged CPython release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-6100 CRITICAL
9.1 Apr 13

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a

CVE-2026-11972 HIGH
8.2 Jun 23

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted

CVE-2026-9669 HIGH
8.2 Jun 08

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4786 HIGH
7.0 Apr 13

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR

CVE-2026-4519 HIGH
7.0 Mar 20

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l

CVE-2026-7774 MEDIUM
6.9 Jun 04

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and

CVE-2026-7210 MEDIUM
6.3 May 11

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo

CVE-2026-3276 MEDIUM
6.3 Jun 03

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-6019 LOW
2.1 Apr 22

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parse

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected

Share

CVE-2026-0864 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy