CVE-2026-3644
Incomplete control character validation in http.cookiesThe fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
We have discovered 487 live websites that are affected by CVE-2026-3644.
Affected Software
| Product |  CPython |
| Category | Programming Languages |
| Vulnerable Domains | 487 live websites (100% of CPython install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 74 versions ( 100% of all versions) |
Details
- Published - Mar 16, 2026
- Updated - Mar 16, 2026
Credits
- Stan Ulbrych (coordinator)
- Stan Ulbrych (remediation developer)
- Victor Stinner (remediation reviewer)
- Seth Larson (remediation reviewer)
- Vyom Yadav (reporter)
CVE References
Website Distribution by Country
Number of websites using CVE-2026-3644 United States | 163 websites |
 Germany | 58 websites |
 Singapore | 28 websites |
 India | 21 websites |
 France | 19 websites |
 Russia | 19 websites |
 China | 13 websites |
 Brazil | 11 websites |
 GB | 11 websites |
 Australia | 10 websites |
Website Distribution by TLD
Number of websites using CVE-2026-3644| .com | 170 websites |
| .org | 50 websites |
| .dk | 25 websites |
| .de | 20 websites |
| .net | 18 websites |
| .edu | 10 websites |
| .nl | 9 websites |
| .fr | 8 websites |
| .ru | 8 websites |
| .ch | 7 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-3644
Top websites that are affected by CVE-2026-3644. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | **,*** | |
| *******.***.org | Germany | ***,*** | |
| *****.org | Germany | ***,*** | |
| ***********.org | Australia | ***,*** | |
| ****.***********.***.au | Australia | ***,*** | |
| ********.org |  Nepal | ***,*** | |
| *******.org | Australia | ***,*** | |
| *****.*****.de | Germany | ***,*** | |
| ********.***.***.gr |  Greece | ***,*** | |
| ***.********.it |  Italy | ***,*** |
FAQ
A total of 487 websites have been identified as vulnerable to CVE-2026-3644, based on global website indexing conducted by WebTechSurvey.
The CPython is affected by the CVE-2026-3644 vulnerability.
CPython versions up to 3.15 are vulnerable to CVE-2026-3644.
CVE-2026-3644 is resolved in version 3.15 of CPython.
References
- https://mail.python.org/archives/list/[email protected]/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/
- https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4
- https://github.com/python/cpython/issues/145599
- https://github.com/python/cpython/pull/145600
- https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd
- https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd