<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Fri, 10 Jul 2026 22:44:30 +0000</lastBuildDate>
    <item>
      <title>0200b6a9-d03b-4e4c-aa36-3c9c3787e075</title>
      <link>https://vulnerability.circl.lu/sighting/0200b6a9-d03b-4e4c-aa36-3c9c3787e075/export</link>
      <description>{"uuid": "0200b6a9-d03b-4e4c-aa36-3c9c3787e075", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-2pg6-44cx-c49v", "type": "seen", "source": "https://gist.github.com/alon710/894d931a4bc3b7f3c7f80c92512208e5", "content": "# CVE-2026-48861: CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint\n\n&amp;gt; **CVSS Score:** 2.1\n&amp;gt; **Published:** 2026-07-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48861\n\n## Summary\nCVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.\n\n## TL;DR\nA CRLF injection vulnerability in Elixir Mint (CVE-2026-48861) allows attackers to perform HTTP Request Splitting and Smuggling by passing control characters in the unvalidated HTTP method parameter.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-93 (Improper Neutralization of CRLF Sequences)\n- **Attack Vector**: Network / Client-Side forwarding\n- **CVSS Score**: 2.1 (Low Severity)\n- **EPSS Score**: 0.00166 (0.17% probability)\n- **Impact**: HTTP Request Splitting / HTTP Request Smuggling\n- **Exploit Status**: Proof-of-Concept (PoC)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Elixir Mint library versions 0.1.0 through 1.8.1\n- Elixir applications utilizing dynamic, user-controlled HTTP methods with Mint\n- **mint**: &amp;gt;= 0.1.0, &amp;lt; 1.9.0 (Fixed in: `1.9.0`)\n\n## Mitigation\n\n- Upgrade the Mint dependency to version 1.9.0 or higher to enforce token validation at the library level\n- Implement strict, application-level whitelisting for all dynamic HTTP method inputs before they are passed to Mint\n- Employ static application security testing (SAST) tools to audit dependencies and identify vulnerable packages\n\n**Remediation Steps:**\n1. Open the mix.exs configuration file in the affected Elixir project\n2. Locate the mint dependency entry and update the version requirement to {:mint, \"~&amp;gt; 1.9\"}\n3. Execute the mix deps.get command in the project directory to retrieve the updated package\n4. Run mix deps.compile mint to ensure the patched version compiles correctly in the local environment\n5. Deploy the updated application to production environments and monitor application logs for invalid request method exceptions\n\n## References\n\n- [CVE-2026-48861 National Vulnerability Database](https://nvd.nist.gov/vuln/detail/CVE-2026-48861)\n- [GitHub Security Advisory GHSA-2pg6-44cx-c49v](https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v)\n- [Official Fix Commit](https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a)\n- [Erlang Ecosystem Foundation Advisory](https://cna.erlef.org/cves/CVE-2026-48861.html)\n- [OSV Database Entry](https://osv.dev/vulnerability/EEF-CVE-2026-48861)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48861) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T04:12:07.761913Z"}</description>
      <content:encoded>{"uuid": "0200b6a9-d03b-4e4c-aa36-3c9c3787e075", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-2pg6-44cx-c49v", "type": "seen", "source": "https://gist.github.com/alon710/894d931a4bc3b7f3c7f80c92512208e5", "content": "# CVE-2026-48861: CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint\n\n&amp;gt; **CVSS Score:** 2.1\n&amp;gt; **Published:** 2026-07-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48861\n\n## Summary\nCVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.\n\n## TL;DR\nA CRLF injection vulnerability in Elixir Mint (CVE-2026-48861) allows attackers to perform HTTP Request Splitting and Smuggling by passing control characters in the unvalidated HTTP method parameter.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-93 (Improper Neutralization of CRLF Sequences)\n- **Attack Vector**: Network / Client-Side forwarding\n- **CVSS Score**: 2.1 (Low Severity)\n- **EPSS Score**: 0.00166 (0.17% probability)\n- **Impact**: HTTP Request Splitting / HTTP Request Smuggling\n- **Exploit Status**: Proof-of-Concept (PoC)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Elixir Mint library versions 0.1.0 through 1.8.1\n- Elixir applications utilizing dynamic, user-controlled HTTP methods with Mint\n- **mint**: &amp;gt;= 0.1.0, &amp;lt; 1.9.0 (Fixed in: `1.9.0`)\n\n## Mitigation\n\n- Upgrade the Mint dependency to version 1.9.0 or higher to enforce token validation at the library level\n- Implement strict, application-level whitelisting for all dynamic HTTP method inputs before they are passed to Mint\n- Employ static application security testing (SAST) tools to audit dependencies and identify vulnerable packages\n\n**Remediation Steps:**\n1. Open the mix.exs configuration file in the affected Elixir project\n2. Locate the mint dependency entry and update the version requirement to {:mint, \"~&amp;gt; 1.9\"}\n3. Execute the mix deps.get command in the project directory to retrieve the updated package\n4. Run mix deps.compile mint to ensure the patched version compiles correctly in the local environment\n5. Deploy the updated application to production environments and monitor application logs for invalid request method exceptions\n\n## References\n\n- [CVE-2026-48861 National Vulnerability Database](https://nvd.nist.gov/vuln/detail/CVE-2026-48861)\n- [GitHub Security Advisory GHSA-2pg6-44cx-c49v](https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v)\n- [Official Fix Commit](https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a)\n- [Erlang Ecosystem Foundation Advisory](https://cna.erlef.org/cves/CVE-2026-48861.html)\n- [OSV Database Entry](https://osv.dev/vulnerability/EEF-CVE-2026-48861)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48861) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T04:12:07.761913Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/0200b6a9-d03b-4e4c-aa36-3c9c3787e075/export</guid>
      <pubDate>Fri, 10 Jul 2026 04:12:07 +0000</pubDate>
    </item>
  </channel>
</rss>
