RHSA-2026:5152
Vulnerability from csaf_redhat - Published: 2026-03-19 17:57 - Updated: 2026-03-20 01:36Summary
Red Hat Security Advisory: python3.11 security update
Severity
Moderate
Notes
Topic: An update for python3.11 is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
Security Fix(es):
* cpython: IMAP command injection in user-controlled commands (CVE-2025-15366)
* cpython: POP3 command injection in user-controlled commands (CVE-2025-15367)
* cpython: email header injection due to unquoted newlines (CVE-2026-1299)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the imaplib module in the Python standard library. The imaplib module does not reject control characters, such as newlines, in user-controlled input passed to IMAP commands. This issue allows an attacker to inject additional commands to be executed in the IMAP server.
7.1 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2026:5152
Workaround
To mitigate this vulnerability, ensure that no data passed to the imaplib module contains newline or carriage return characters.
A flaw was found in the poplib module in the Python standard library. The poplib module does not reject control characters, such as newlines, in user-controlled input passed to POP3 commands. This issue allows an attacker to inject additional commands to be executed in the POP3 server.
7.1 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2026:5152
Workaround
To mitigate this vulnerability, ensure that no data passed to the poplib module contains newline or carriage return characters.
A flaw was found in the email module in the Python standard library. When serializing an email message, the BytesGenerator class fails to properly quote newline characters for email headers. This issue is exploitable when the LiteralHeader class is used as it does not respect email folding rules, allowing an attacker to inject email headers and potentially modify message recipients or the email body, and spoof sender information.
7.1 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2026:5152
Workaround
To mitigate this issue, applications accepting user-supplied data for email headers should sanitize the input by stripping or rejecting any strings containing carriage return or line feed characters, '\r' or '\n', respectively, preventing malicious sequences that could lead to header manipulation.
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python3.11 is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* cpython: IMAP command injection in user-controlled commands (CVE-2025-15366)\n\n* cpython: POP3 command injection in user-controlled commands (CVE-2025-15367)\n\n* cpython: email header injection due to unquoted newlines (CVE-2026-1299)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:5152",
"url": "https://access.redhat.com/errata/RHSA-2026:5152"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2431368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431368"
},
{
"category": "external",
"summary": "2431373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431373"
},
{
"category": "external",
"summary": "2432437",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432437"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_5152.json"
}
],
"title": "Red Hat Security Advisory: python3.11 security update",
"tracking": {
"current_release_date": "2026-03-20T01:36:50+00:00",
"generator": {
"date": "2026-03-20T01:36:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2026:5152",
"initial_release_date": "2026-03-19T17:57:32+00:00",
"revision_history": [
{
"date": "2026-03-19T17:57:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-19T17:57:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-20T01:36:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.8::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python3.11-0:3.11.2-2.el8_8.8.src",
"product": {
"name": "python3.11-0:3.11.2-2.el8_8.8.src",
"product_id": "python3.11-0:3.11.2-2.el8_8.8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11@3.11.2-2.el8_8.8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"product": {
"name": "python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"product_id": "python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11@3.11.2-2.el8_8.8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"product": {
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"product_id": "python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-devel@3.11.2-2.el8_8.8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"product": {
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"product_id": "python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-libs@3.11.2-2.el8_8.8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"product": {
"name": "python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"product_id": "python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-tkinter@3.11.2-2.el8_8.8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"product": {
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"product_id": "python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-debugsource@3.11.2-2.el8_8.8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"product": {
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"product_id": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-debuginfo@3.11.2-2.el8_8.8?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3.11-0:3.11.2-2.el8_8.8.x86_64",
"product": {
"name": "python3.11-0:3.11.2-2.el8_8.8.x86_64",
"product_id": "python3.11-0:3.11.2-2.el8_8.8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11@3.11.2-2.el8_8.8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"product": {
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"product_id": "python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-devel@3.11.2-2.el8_8.8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"product": {
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"product_id": "python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-libs@3.11.2-2.el8_8.8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"product": {
"name": "python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"product_id": "python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-tkinter@3.11.2-2.el8_8.8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"product": {
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"product_id": "python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-debugsource@3.11.2-2.el8_8.8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"product": {
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"product_id": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-debuginfo@3.11.2-2.el8_8.8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"product": {
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"product_id": "python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-devel@3.11.2-2.el8_8.8?arch=i686"
}
}
},
{
"category": "product_version",
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"product": {
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"product_id": "python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-libs@3.11.2-2.el8_8.8?arch=i686"
}
}
},
{
"category": "product_version",
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"product": {
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"product_id": "python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-debugsource@3.11.2-2.el8_8.8?arch=i686"
}
}
},
{
"category": "product_version",
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"product": {
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"product_id": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-debuginfo@3.11.2-2.el8_8.8?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"product": {
"name": "python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"product_id": "python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3.11-rpm-macros@3.11.2-2.el8_8.8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-0:3.11.2-2.el8_8.8.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le"
},
"product_reference": "python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-0:3.11.2-2.el8_8.8.src as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src"
},
"product_reference": "python3.11-0:3.11.2-2.el8_8.8.src",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686"
},
"product_reference": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le"
},
"product_reference": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686"
},
"product_reference": "python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le"
},
"product_reference": "python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686"
},
"product_reference": "python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le"
},
"product_reference": "python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686"
},
"product_reference": "python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le"
},
"product_reference": "python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch"
},
"product_reference": "python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le"
},
"product_reference": "python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-0:3.11.2-2.el8_8.8.src as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src"
},
"product_reference": "python3.11-0:3.11.2-2.el8_8.8.src",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686"
},
"product_reference": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686"
},
"product_reference": "python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686"
},
"product_reference": "python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-devel-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686"
},
"product_reference": "python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-libs-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch"
},
"product_reference": "python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
},
"product_reference": "python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-15366",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"discovery_date": "2026-01-20T22:01:33.257688+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431368"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the imaplib module in the Python standard library. The imaplib module does not reject control characters, such as newlines, in user-controlled input passed to IMAP commands. This issue allows an attacker to inject additional commands to be executed in the IMAP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cpython: IMAP command injection in user-controlled commands",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to have the privileges required to send malicious input to an application that sends IMAP commands to a server. Additionally, this flaw can allow attackers to manipulate the state of the mailbox (e.g., delete emails, move folders, flag messages) and to potentially read metadata or specific email content, but it does not allow arbitrary code execution or OS command injection. Due to these reasons, this issue has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-15366"
},
{
"category": "external",
"summary": "RHBZ#2431368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431368"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-15366",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15366"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15366",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15366"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/issues/143921",
"url": "https://github.com/python/cpython/issues/143921"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/pull/143922",
"url": "https://github.com/python/cpython/pull/143922"
},
{
"category": "external",
"summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/"
}
],
"release_date": "2026-01-20T21:40:24.938000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-19T17:57:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:5152"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, ensure that no data passed to the imaplib module contains newline or carriage return characters.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cpython: IMAP command injection in user-controlled commands"
},
{
"cve": "CVE-2025-15367",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"discovery_date": "2026-01-20T22:02:09.399038+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431373"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the poplib module in the Python standard library. The poplib module does not reject control characters, such as newlines, in user-controlled input passed to POP3 commands. This issue allows an attacker to inject additional commands to be executed in the POP3 server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cpython: POP3 command injection in user-controlled commands",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to have the privileges required to send malicious input to an application that sends POP3 commands to a server. Additionally, this flaw can allow attackers to manipulate the state of the mailbox (e.g., delete emails) and to potentially read metadata or specific email content, but it does not allow arbitrary code execution or OS command injection. Due to these reasons, this issue has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-15367"
},
{
"category": "external",
"summary": "RHBZ#2431373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431373"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-15367",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15367"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15367",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15367"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/issues/143923",
"url": "https://github.com/python/cpython/issues/143923"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/pull/143924",
"url": "https://github.com/python/cpython/pull/143924"
},
{
"category": "external",
"summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/"
}
],
"release_date": "2026-01-20T21:47:09.885000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-19T17:57:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:5152"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, ensure that no data passed to the poplib module contains newline or carriage return characters.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cpython: POP3 command injection in user-controlled commands"
},
{
"cve": "CVE-2026-1299",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-01-23T17:02:57.343486+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2432437"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the email module in the Python standard library. When serializing an email message, the BytesGenerator class fails to properly quote newline characters for email headers. This issue is exploitable when the LiteralHeader class is used as it does not respect email folding rules, allowing an attacker to inject email headers and potentially modify message recipients or the email body, and spoof sender information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cpython: email header injection due to unquoted newlines",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue can only be exploitable by Python applications using the LiteralHeader class to write email headers, as it does not respect email folding rules. Additionally, this issue allows attackers to modify message recipients or the email body and spoof sender identity but it does not cause memory corruption or arbitrary code execution. Due to these reasons, this vulnerability has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1299"
},
{
"category": "external",
"summary": "RHBZ#2432437",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432437"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1299",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1299"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1299",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1299"
},
{
"category": "external",
"summary": "https://cve.org/CVERecord?id=CVE-2024-6923",
"url": "https://cve.org/CVERecord?id=CVE-2024-6923"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413",
"url": "https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/issues/144125",
"url": "https://github.com/python/cpython/issues/144125"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/pull/144126",
"url": "https://github.com/python/cpython/pull/144126"
},
{
"category": "external",
"summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/"
}
],
"release_date": "2026-01-23T16:27:13.346000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-19T17:57:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:5152"
},
{
"category": "workaround",
"details": "To mitigate this issue, applications accepting user-supplied data for email headers should sanitize the input by stripping or rejecting any strings containing carriage return or line feed characters, \u0027\\r\u0027 or \u0027\\n\u0027, respectively, preventing malicious sequences that could lead to header manipulation.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.E4S:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.E4S:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.ppc64le",
"AppStream-8.8.0.Z.E4S:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.src",
"AppStream-8.8.0.Z.TUS:python3.11-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debuginfo-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-debugsource-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-devel-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.i686",
"AppStream-8.8.0.Z.TUS:python3.11-libs-0:3.11.2-2.el8_8.8.x86_64",
"AppStream-8.8.0.Z.TUS:python3.11-rpm-macros-0:3.11.2-2.el8_8.8.noarch",
"AppStream-8.8.0.Z.TUS:python3.11-tkinter-0:3.11.2-2.el8_8.8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cpython: email header injection due to unquoted newlines"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…