CVE-2026-42874— Microdot: HTTP response splitting in Response.set_cookie()
Possible ATT&CK Techniques 1AI
T1054Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| miguelgrinberg | microdot | < 2.6.1 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42874
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Microdot: HTTP response splitting in Response.set_cookie()
Source: NVD (National Vulnerability Database)
Vulnerability Description
Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious information that is destined to be stored in a cookie by the server on behalf of the victim. An attacker that infiltrates one client can only orchestrate a header injection attack for that client, all other clients that were not infiltrated are safe. This vulnerability is fixed in 2.6.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)
Source: NVD (National Vulnerability Database)
Vulnerability Title
microdot 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
microdot是Miguel Grinberg个人开发者的一个极简的Python Web框架。 microdot 2.6.1之前版本存在注入漏洞,该漏洞源于Response.set_cookie方法未对字符串参数进行清理,可能导致标头注入攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| miguelgrinberg | microdot | < 2.6.1 | - |
II. Public POCs for CVE-2026-42874
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42874
请登录查看更多情报信息。
- https://github.com/miguelgrinberg/microdot/blob/main/CHANGES.mdx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42874
IV. Related Vulnerabilities
Same weakness: CWE-113
- CVE-2026-42578
Netty: HTTP Header Injection via HttpProxyHandler Disabled V - CVE-2026-7010
HTTP::Tiny versions before 0.093 for Perl do not validate CR - CVE-2026-42035
Axios: Header Injection via Prototype Pollution - CVE-2026-39971
Serendipity: Host Header Injection leads to SMTP header inje - CVE-2026-40175
Axios has Unrestricted Cloud Metadata Exfiltration via Heade
V. Comments for CVE-2026-42874
No comments yet