Unrated severityNVD Advisory· Published Mar 17, 2026· Updated Mar 19, 2026

Libsoup: libsoup: header and http request injection via crlf injection

CVE-2026-3633

Description

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the soup_message_new() function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.

Affected products

Red Hat/Red Hat Enterprise Linux 10v5
cpe:/o:redhat:enterprise_linux:10
Red Hat/Red Hat Enterprise Linux 6v5
cpe:/o:redhat:enterprise_linux:6
Red Hat/Red Hat Enterprise Linux 7v5
cpe:/o:redhat:enterprise_linux:7
Red Hat/Red Hat Enterprise Linux 8v5
cpe:/o:redhat:enterprise_linux:8
Red Hat/Red Hat Enterprise Linux 9v5
cpe:/o:redhat:enterprise_linux:9
GNOME Foundation/Libsoupllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/security/cve/CVE-2026-3633mitrevdb-entryx_refsource_REDHAT
bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
gitlab.gnome.org/GNOME/libsoup/-/issues/484mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000