Skip to main content

CVE-2026-1299

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-01-23 cna@python.org

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 23, 2026 - 17:16 nvd
N/A

DescriptionCVE.org

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".

AnalysisAI

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

Technical ContextAI

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".

Affected ProductsAI

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowi

RemediationAI

Monitor vendor advisories for a patch.

Share

CVE-2026-1299 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy