Common Weakness Enumeration

CWE-93

Allowed

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Abstraction: Base · Status: Draft

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

323 vulnerabilities reference this CWE, most recent first.

CVE-2026-11362 (GCVE-0-2026-11362)

Vulnerability from cvelistv5 – Published: 2026-06-05 14:50 – Updated: 2026-06-08 18:20
VLAI
Title
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags
Summary
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-93 - Improper Neutralization of CRLF Sequences
  • CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Assigner
Impacted products
Vendor Product Version
BINARY DataDog::DogStatsd Affected: 0 , ≤ 0.07 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-11362",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-08T18:20:03.616117Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-08T18:20:09.533Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "DataDog-DogStatsd",
          "product": "DataDog::DogStatsd",
          "programRoutines": [
            {
              "name": "DataDog::DogStatsd::format_event"
            },
            {
              "name": "DataDog::DogStatsd::event"
            }
          ],
          "repo": "https://github.com/binary-com/dogstatsd-perl",
          "vendor": "BINARY",
          "versions": [
            {
              "lessThanOrEqual": "0.07",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.\n\nDataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.\n\nThe format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections.  (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper Neutralization of CRLF Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-150",
              "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T14:50:12.176Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46741"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags",
      "workarounds": [
        {
          "lang": "en",
          "value": "Ensure that metric names, values and tags come from trusted sources or are properly sanitised."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-11362",
    "datePublished": "2026-06-05T14:50:12.176Z",
    "dateReserved": "2026-06-05T11:42:59.357Z",
    "dateUpdated": "2026-06-08T18:20:09.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9679 (GCVE-0-2026-9679)

Vulnerability from cvelistv5 – Published: 2026-06-17 16:56 – Updated: 2026-06-23 16:12
VLAI
Title
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Summary
Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning. Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header. This was introduced in undici 7.0.0 via PR #3789. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
Impacted products
Vendor Product Version
undici undici Affected: 0 , < 6.26.0 (semver)
Unaffected: 6.26.0 (semver)
Affected: 7.0.0 , < 7.28.0 (semver)
Unaffected: 7.28.0 (semver)
Affected: 8.0.0 , < 8.5.0 (semver)
Unaffected: 8.5.0 (semver)
Create a notification for this product.
Credits
tndud042713 mcollina KhafraDev UlisesGascon
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9679",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T18:31:46.100353Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T16:12:38.765Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/undici",
          "product": "undici",
          "vendor": "undici",
          "versions": [
            {
              "lessThan": "6.26.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.26.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.28.0",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "7.28.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.0",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "8.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "tndud042713"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "mcollina"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "KhafraDev"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "UlisesGascon"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Impact:\nundici\u0027s cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 \u00a75.4 does not specify any decoding and browsers do not decode either.\n\nApplications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application\u0027s downstream response, enabling session fixation, open redirect, or cache poisoning.\n\nAffected applications are those that use undici\u0027s cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.\n\nThis was introduced in undici 7.0.0 via PR #3789.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes."
            }
          ],
          "value": "Impact:\nundici\u0027s cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 \u00a75.4 does not specify any decoding and browsers do not decode either.\n\nApplications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application\u0027s downstream response, enabling session fixation, open redirect, or cache poisoning.\n\nAffected applications are those that use undici\u0027s cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.\n\nThis was introduced in undici 7.0.0 via PR #3789.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T16:56:18.579Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv"
        },
        {
          "url": "https://cna.openjsf.org/security-advisories.html"
        }
      ],
      "title": "undici vulnerable to HTTP header injection via Set-Cookie percent-decoding",
      "x_generator": {
        "engine": "cve-kit 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-9679",
    "datePublished": "2026-06-17T16:56:18.579Z",
    "dateReserved": "2026-05-27T08:59:17.316Z",
    "dateUpdated": "2026-06-23T16:12:38.765Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9270 (GCVE-0-2026-9270)

Vulnerability from cvelistv5 – Published: 2026-06-05 14:49 – Updated: 2026-06-08 18:17
VLAI
Title
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections
Summary
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-93 - Improper Neutralization of CRLF Sequences
  • CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Assigner
Impacted products
Vendor Product Version
BINARY DataDog::DogStatsd Affected: 0 , ≤ 0.07 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-9270",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-08T18:17:00.524236Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-08T18:17:12.608Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "DataDog-DogStatsd",
          "product": "DataDog::DogStatsd",
          "programRoutines": [
            {
              "name": "DataDog::DogStatsd::send_stats"
            },
            {
              "name": "DataDog::DogStatsd::set"
            },
            {
              "name": "DataDog::DogStatsd::gauge"
            },
            {
              "name": "DataDog::DogStatsd::count"
            },
            {
              "name": "DataDog::DogStatsd::histogram"
            }
          ],
          "repo": "https://github.com/binary-com/dogstatsd-perl",
          "vendor": "BINARY",
          "versions": [
            {
              "lessThanOrEqual": "0.07",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.\n\nDataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.\n\nThe send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.\n\nThe send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.\n\nThe send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.\n\nNote that the SYNOPSIS shows an example of passing a website form \"loginName\" parameter as a tag, which is unsafe."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper Neutralization of CRLF Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-150",
              "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T14:49:39.714Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46741"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "DataDog::DogStatsd versions through 0.07 for Perl allow metric injections",
      "workarounds": [
        {
          "lang": "en",
          "value": "Ensure that metric names, values and tags come from trusted sources or are properly sanitised."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-9270",
    "datePublished": "2026-06-05T14:49:39.714Z",
    "dateReserved": "2026-05-22T10:23:06.050Z",
    "dateUpdated": "2026-06-08T18:17:12.608Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8788 (GCVE-0-2026-8788)

Vulnerability from cvelistv5 – Published: 2026-05-18 06:34 – Updated: 2026-06-19 15:34
VLAI
Title
Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections
Summary
Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-93 - Improper Neutralization of CRLF Sequences
  • CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Assigner
Impacted products
Vendor Product Version
RRWO Net::Statsd::Lite Affected: 0 , ≤ 0.10.0 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-8788",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T12:45:22.290912Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T12:45:27.703Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Net-Statsd-Lite",
          "product": "Net::Statsd::Lite",
          "programRoutines": [
            {
              "name": "Net::Statsd::Lite::record_metric"
            }
          ],
          "repo": "https://github.com/robrwo/Net-Statsd-Lite",
          "vendor": "RRWO",
          "versions": [
            {
              "lessThanOrEqual": "0.10.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections.\n\nThe values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\n\nNote that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper Neutralization of CRLF Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-150",
              "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-19T15:34:16.945Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to Net::Statsd::Lite version 0.10.1 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-14T00:00:00.000Z",
          "value": "Issue reported to CPANSec"
        },
        {
          "lang": "en",
          "time": "2026-05-15T00:00:00.000Z",
          "value": "Author notified"
        },
        {
          "lang": "en",
          "time": "2026-05-16T00:00:00.000Z",
          "value": "Fix released for CVE-2026-46719"
        },
        {
          "lang": "en",
          "time": "2026-05-17T00:00:00.000Z",
          "value": "CVE-2026-8788 identified by author"
        },
        {
          "lang": "en",
          "time": "2025-05-17T00:00:00.000Z",
          "value": "Fix released for CVE-2026-8788"
        }
      ],
      "title": "Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections",
      "workarounds": [
        {
          "lang": "en",
          "value": "In version 0.10.0, use the secure_set_add method which logs an HMAC digest of the value instead of the raw value.\n\nValidate that all values sent to the client based on untrusted data do not contain metric injections."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-8788",
    "datePublished": "2026-05-18T06:34:24.030Z",
    "dateReserved": "2026-05-17T12:01:20.592Z",
    "dateUpdated": "2026-06-19T15:34:16.945Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8722 (GCVE-0-2026-8722)

Vulnerability from cvelistv5 – Published: 2026-06-03 23:45 – Updated: 2026-06-19 15:33
VLAI
Title
Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections
Summary
Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-93 - Improper Neutralization of CRLF Sequences
  • CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Assigner
Impacted products
Vendor Product Version
TEAM Net::Async::Statsd::Client Affected: 0 , ≤ 0.005 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-8722",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T18:30:45.633771Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T18:31:02.943Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Net-Async-Statsd",
          "product": "Net::Async::Statsd::Client",
          "programRoutines": [
            {
              "name": "Net::Async::Statsd::Client::queue_stat"
            }
          ],
          "repo": "https://github.com/team-at-cpan/Net-Async-Statsd",
          "vendor": "TEAM",
          "versions": [
            {
              "lessThanOrEqual": "0.005",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections.\n\nThe metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper Neutralization of CRLF Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-150",
              "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-19T15:33:53.933Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "related"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections",
      "workarounds": [
        {
          "lang": "en",
          "value": "Ensure only trusted data is submitted to metrics."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-8722",
    "datePublished": "2026-06-03T23:45:27.353Z",
    "dateReserved": "2026-05-16T01:26:22.806Z",
    "dateUpdated": "2026-06-19T15:33:53.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6351 (GCVE-0-2026-6351)

Vulnerability from cvelistv5 – Published: 2026-04-16 02:39 – Updated: 2026-04-16 13:02
VLAI
Title
Openfind|MailGates/MailAudit - CRLF Injection
Summary
MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-93 - Improper neutralization of CRLF sequences ('CRLF injection')
Assigner
References
Impacted products
Vendor Product Version
Openfind MailGates Affected: 6.0 , < 6.1.10.054 (custom)
Affected: 5.0 , < 5.2.10.099 (custom)
Create a notification for this product.
Openfind MailAudit Affected: 6.0 , < 6.1.10.054 (custom)
Affected: 5.0 , < 5.2.10.099 (custom)
Create a notification for this product.
Date Public
2026-04-16 02:34
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6351",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-16T13:02:17.083959Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-16T13:02:24.951Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MailGates",
          "vendor": "Openfind",
          "versions": [
            {
              "lessThan": "6.1.10.054",
              "status": "affected",
              "version": "6.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.2.10.099",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MailAudit",
          "vendor": "Openfind",
          "versions": [
            {
              "lessThan": "6.1.10.054",
              "status": "affected",
              "version": "6.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.2.10.099",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2026-04-16T02:34:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files."
            }
          ],
          "value": "MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-15",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-15 Command Delimiters"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T02:39:02.015Z",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/tw/cp-132-10844-1405d-1.html"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/en/cp-139-10843-9ff91-2.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "MailGates/MailAudit 6.0\uff1a Update to version 6.1.10.054 or later\n\u003cbr\u003eMailGates/MailAudit 5.0\uff1a Update to version 5.2.10.099 or later"
            }
          ],
          "value": "MailGates/MailAudit 6.0\uff1a Update to version 6.1.10.054 or later\n\nMailGates/MailAudit 5.0\uff1a Update to version 5.2.10.099 or later"
        }
      ],
      "source": {
        "advisory": "TVN-202604003",
        "discovery": "EXTERNAL"
      },
      "title": "Openfind\uff5cMailGates/MailAudit - CRLF Injection",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2026-6351",
    "datePublished": "2026-04-16T02:39:02.015Z",
    "dateReserved": "2026-04-15T11:32:32.176Z",
    "dateUpdated": "2026-04-16T13:02:24.951Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5140 (GCVE-0-2026-5140)

Vulnerability from cvelistv5 – Published: 2026-04-29 13:02 – Updated: 2026-06-06 07:51
VLAI
Title
Authorization Bypass in TUBITAK BILGEM's Pardus Update
Summary
Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Authentication Bypass. This issue affects Pardus Update: from 0.6.3 before 0.6.4.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-93 - Improper neutralization of CRLF sequences ('CRLF injection')
Assigner
References
Impacted products
Date Public
2026-04-29 12:43
Credits
Çağrı ESER
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5140",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T14:04:24.354607Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T14:04:35.564Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pardus Update",
          "vendor": "TUBITAK BILGEM Software Technologies Research Institute",
          "versions": [
            {
              "lessThan": "0.6.4",
              "status": "affected",
              "version": "0.6.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "\u00c7a\u011fr\u0131 ESER"
        }
      ],
      "datePublic": "2026-04-29T12:43:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027) vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Authentication Bypass.\u003cp\u003eThis issue affects Pardus Update: from 0.6.3 before 0.6.4.\u003c/p\u003e"
            }
          ],
          "value": "Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027) vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Authentication Bypass.\n\nThis issue affects Pardus Update: from 0.6.3 before 0.6.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-06T07:51:25.691Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource",
            "broken-link"
          ],
          "url": "https://www.usom.gov.tr/bildirim/tr-26-0131"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0131"
        }
      ],
      "source": {
        "advisory": "TR-26-0131",
        "defect": [
          "TR-26-0131"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Authorization Bypass in TUBITAK BILGEM\u0027s Pardus Update",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2026-5140",
    "datePublished": "2026-04-29T13:02:08.216Z",
    "dateReserved": "2026-03-30T11:35:18.026Z",
    "dateUpdated": "2026-06-06T07:51:25.691Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3848 (GCVE-0-2026-3848)

Vulnerability from cvelistv5 – Published: 2026-03-11 15:37 – Updated: 2026-03-12 14:23
VLAI
Title
Improper Neutralization of CRLF Sequences ('CRLF Injection') in GitLab
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
Impacted products
Vendor Product Version
GitLab GitLab Affected: 8.11 , < 18.7.6 (semver)
Affected: 18.8 , < 18.8.6 (semver)
Affected: 18.9 , < 18.9.2 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Thanks [shelld3c](https://hackerone.com/shells3c) for reporting this vulnerability.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3848",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-12T14:23:34.060887Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-12T14:23:58.017Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "18.7.6",
              "status": "affected",
              "version": "8.11",
              "versionType": "semver"
            },
            {
              "lessThan": "18.8.6",
              "status": "affected",
              "version": "18.8",
              "versionType": "semver"
            },
            {
              "lessThan": "18.9.2",
              "status": "affected",
              "version": "18.9",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [shelld3c](https://hackerone.com/shells3c) for reporting this vulnerability."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-11T15:37:11.894Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/577298"
        },
        {
          "url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above."
        }
      ],
      "title": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2026-3848",
    "datePublished": "2026-03-11T15:37:11.894Z",
    "dateReserved": "2026-03-09T19:33:36.812Z",
    "dateUpdated": "2026-03-12T14:23:58.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3634 (GCVE-0-2026-3634)

Vulnerability from cvelistv5 – Published: 2026-03-17 09:44 – Updated: 2026-03-19 20:55
VLAI
Title
Libsoup: libsoup: http header injection and response splitting via crlf injection in content-type header
Summary
A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
Impacted products
Date Public
2026-03-06 05:05
Credits
Red Hat would like to thank Codean Labs for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3634",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T13:03:02.939035Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-17T13:03:07.736Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/485"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup3",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Codean Labs for reporting this issue."
        }
      ],
      "datePublic": "2026-03-06T05:05:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T20:55:36.678Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-3634"
        },
        {
          "name": "RHBZ#2445129",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445129"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/485"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-06T07:57:46.977Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-03-06T05:05:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Libsoup: libsoup: http header injection and response splitting via crlf injection in content-type header",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-3634",
    "datePublished": "2026-03-17T09:44:19.631Z",
    "dateReserved": "2026-03-06T08:03:35.024Z",
    "dateUpdated": "2026-03-19T20:55:36.678Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3633 (GCVE-0-2026-3633)

Vulnerability from cvelistv5 – Published: 2026-03-17 09:44 – Updated: 2026-03-19 20:57
VLAI
Title
Libsoup: libsoup: header and http request injection via crlf injection
Summary
A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
Impacted products
Date Public
2026-03-06 05:05
Credits
Red Hat would like to thank Codean Labs for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3633",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T12:59:46.420116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-17T12:59:56.047Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup3",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Codean Labs for reporting this issue."
        }
      ],
      "datePublic": "2026-03-06T05:05:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T20:57:05.472Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-3633"
        },
        {
          "name": "RHBZ#2445128",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445128"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/484"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-06T07:51:56.749Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-03-06T05:05:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Libsoup: libsoup: header and http request injection via crlf injection",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-3633",
    "datePublished": "2026-03-17T09:44:19.794Z",
    "dateReserved": "2026-03-06T07:57:52.748Z",
    "dateUpdated": "2026-03-19T20:57:05.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Implementation

Avoid using CRLF as a special sequence.

Mitigation
Implementation

Appropriately filter or quote CRLF sequences in user-controlled input.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.