CVE-2026-9658
7.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.
The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,
GET /path\r\nHTTP/1.1\r\nHost: secret.example.com
Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| RRWO | Plack::Middleware::Security::Common | 0 < 0.13.1 | affected |
Weaknesses
- CWE-790: CWE-790 Improper Filtering of Special Elements
- CWE-113: CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers
Workarounds
Use with the the the non_printable_chars rule to block header injections.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.