CVE-2026-0864

Published: June 25, 2026Last modified: July 2, 2026

Description

When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSpython3Fixed (3.11.15-r5)
25 LTSpython3Fixed (3.12.13-r5)
Streampython3Fixed (3.14.5-r4)
Hardened Containers23 LTSpython3Unknown (3.11.3-r0)
25 LTSpython3Unknown (3.12.10-r1)
Streampython3Unknown (3.11.4-r0)

References

ON THIS PAGE