Microdot CVE-2026-42874
LOWCVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
Impact
The Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks.
For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious information that is destined to be stored in a cookie by the server on behalf of the victim. An attacker that infiltrates one client can only orchestrate a header injection attack for that client, all other clients that were not infiltrated are safe.
Patches
Upgrade to version 2.6.1.
Workarounds
Do not pass untrusted data to the Response.set_cookie() method.
AnalysisAI
HTTP response splitting in Microdot's Response.set_cookie() method allows header injection attacks when an attacker-controlled XSS payload reaches the server and is stored as a cookie value. The vulnerability stems from unsanitized carriage return and linefeed characters (\r\n) in cookie parameters, enabling an attacker to inject arbitrary HTTP headers. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today