QSearchQSearch

CVE-2026-9658

7.3 HIGH

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths

Published: 2026-05-28 · Last updated: 2026-06-01

Severity and scoring

CVSS
7.3 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-113, CWE-790

Description

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-43966 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HT...
  • CVE-2026-48596 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows ...
  • CVE-2026-38967 CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values (9.8 CRITICAL)
  • CVE-2026-38978 transmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths (5.3 MEDIUM)
  • CVE-2026-47675 Hono is a Web application framework that provides support for any JavaScript runtime (4.3 MEDIUM)