- CVE-2025-15282: urllib.request.DataHandler accepted data: URLs whose mediatype contained C0 control characters, allowing newline-based HTTP header injection downstream. Reject control characters in data_open(). - CVE-2026-0672: http.cookies.Morsel did not reject control characters in keys, values, or coded_value, allowing cookie injection via __setitem__, setdefault, set, and BaseCookie.output. Add a _has_control_character helper and validate in those entry points and BaseCookie.OutputString. - CVE-2026-3644: the CVE-2026-0672 fix was incomplete; control characters could still bypass via Morsel.update(), |=, __setstate__, and BaseCookie.js_output(). Validate those entry points too and re-validate the assembled output string in js_output(). - CVE-2026-4224: Modules/pyexpat.c conv_content_model could overflow the C stack when an Expat parser with a registered ElementDeclHandler parsed a deeply nested DTD content model, causing a denial-of-service. Wrap conv_content_model with Py_EnterRecursiveCall so deep nesting raises RecursionError instead of crashing.