Python http.client CRLF injection via proxy tunnel headers (before 3.15)
CVE-2026-1502 Published on April 10, 2026

HTTP client proxy tunnel headers not validated for CR/LF
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

Vendor Advisory NVD

Products Associated with CVE-2026-1502

Want to know whenever a new CVE is published for Python? stack.watch will email you.

Python

Affected Versions

Python Software Foundation CPython:

Before 3.15.0 is affected.

Exploit Probability

EPSS

0.04%

Percentile

12.47%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Python http.client CRLF injection via proxy tunnel headers (before 3.15)CVE-2026-1502 Published on April 10, 2026

Products Associated with CVE-2026-1502

Affected Versions

Exploit Probability

Python http.client CRLF injection via proxy tunnel headers (before 3.15)
CVE-2026-1502 Published on April 10, 2026