High severity7.3NVD Advisory· Published May 28, 2026· Updated Jun 1, 2026
CVE-2026-9658
CVE-2026-9658
Description
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.
The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,
GET /path\r\nHTTP/1.1\r\nHost: secret.example.com
Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <0.13.1
- Range: <0.13.1
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.