{"uuid": "459e27ca-dd5a-4ef3-8dff-213b8315808e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48598", "type": "seen", "source": "https://gist.github.com/alon710/5cf8fa01fdabad32641db4fb6525028d", "content": "# CVE-2026-48598: CVE-2026-48598: Multipart Part Header Injection and Request Smuggling in elixir-tesla\n\n&gt; **CVSS Score:** 2.1\n&gt; **Published:** 2026-07-10\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48598\n\n## Summary\nAn Improper Encoding or Escaping of Output vulnerability (CWE-116) in elixir-tesla allowed unauthenticated remote code execution or request smuggling via unescaped Content-Disposition parameters in multipart form-data requests.\n\n## TL;DR\nUnescaped carriage returns, line feeds, and double-quotes in elixir-tesla's multipart module allow multipart header injection and request smuggling.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-116\n- **Attack Vector**: Local\n- **CVSS v4.0 Score**: 2.1 (Low)\n- **EPSS Score**: 0.00143\n- **Impact**: Low Subsequent System Integrity\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- elixir-tesla\n- **tesla**: &gt;= 0.8.0, &lt; 1.18.3 (Fixed in: `1.18.3`)\n\n## Mitigation\n\n- Upgrade the elixir-tesla dependency to version 1.18.3 or newer\n- Filter user-controlled input values to remove carriage returns, line feeds, and double-quote characters before parsing\n- Wrap dynamic multipart compilation steps in exception-handling blocks to prevent application crashes\n\n**Remediation Steps:**\n1. Open your mix.exs configuration file\n2. Locate the {:tesla, \"...\"} dependency line and update the version requirement to &gt;= 1.18.3\n3. Execute mix deps.get to fetch the patched version of the package\n4. Run your test suite to verify no uncaught ArgumentError exceptions occur during multipart serialization\n\n## References\n\n- [CVE-2026-48598 on CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-48598)\n- [GHSA-28jh-g32x-v9v4 Advisory on GitHub](https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4)\n- [Erlang Ecosystem Foundation CNA Advisory](https://cna.erlef.org/cves/CVE-2026-48598.html)\n- [OSV Registry Record for CVE-2026-48598](https://osv.dev/vulnerability/EEF-CVE-2026-48598)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48598) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T00:42:13.295577Z"}