Microdot has HTTP response splitting in Response.set_cookie() — CVE-2026-42874
GitHub · GitHub · CVE-2026-42874
ID
CVE-2026-42874
CVE-2026-42874
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
low
low
CVSS
3.7
3.7
EPSS
0.00038
0.00038
Summary
### Impact The `Response.set_cookie()` method does not sanitize its string arguments, and in particular will not detect the presence of the `\r\n` sequence in them. This can be a potential source of header injection attacks. For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious…
Product
pip: microdot
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.