Header Injection Vulnerability in Microdot Python Web Framework
CVE-2026-42874

3.7LOW

Key Information:

Vendor

Miguelgrinberg

Status
Microdot
Vendor
CVE Published:
11 May 2026

What is CVE-2026-42874?

Microdot, a minimalist Python web framework, exhibits a header injection vulnerability in versions prior to 2.6.1. This vulnerability arises from the Response.set_cookie() method, which fails to properly sanitize string arguments. Specifically, it does not detect the insertion of the \r\n sequence, which can lead to potential header injection attacks. For such an attack to succeed, an attacker must first penetrate the client, often through an independent XSS attack. Once compromised, the client can send malicious data to be stored in a cookie by the server. However, this threat is isolated to the affected client and does not impact others who remain uncompromised. The issue has been addressed in version 2.6.1.

Affected Version(s)

microdot < 2.6.1

References

https://github.com/miguelgrinberg/microdot/security/advis...
x_refsource_CONFIRM
https://github.com/miguelgrinberg/microdot/commit/99b281b...
x_refsource_MISC
https://github.com/miguelgrinberg/microdot/blob/main/CHAN...
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.