VYPR

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

BaseDraft

Description

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-15 · CAPEC-81

CVEs mapped to this weakness (143)

page 4 of 8
  • CVE-2016-5331MedAug 8, 2016
    risk 0.40cvss 6.1epss 0.02

    CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

  • CVE-2026-1299MedJan 23, 2026
    risk 0.39cvss epss 0.01

    The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that…

  • CVE-2026-55603higJun 18, 2026
    risk 0.38cvss epss 0.00

    ## Summary `fixRequestBody()` is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the **outgoing** `Content-Type` is `multipart/form-data`, it rebuilds the body with `handlerFormDataBodyData()`, which interpolates…

  • CVE-2025-57804MedAug 25, 2025
    risk 0.38cvss epss 0.02

    h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to…

  • CVE-2026-35504MedMay 12, 2026
    risk 0.36cvss 5.5epss 0.00

    PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.

  • CVE-2026-44217MedMay 12, 2026
    risk 0.36cvss epss 0.00

    sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject…

  • CVE-2026-2717MedApr 22, 2026
    risk 0.36cvss 5.5epss 0.00

    The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This…

  • CVE-2026-46719MedMay 16, 2026
    risk 0.35cvss 6.5epss 0.00

    Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

  • CVE-2024-51981MedJun 25, 2025
    risk 0.35cvss 5.3epss 0.01

    An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The…

  • CVE-2016-9964MedDec 16, 2016
    risk 0.35cvss 6.5epss 0.02

    redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.

  • CVE-2026-50629MedJun 12, 2026
    risk 0.34cvss 5.3epss 0.00

    The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are…

  • CVE-2026-41417MedMay 6, 2026
    risk 0.34cvss 5.3epss 0.00

    Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does…

  • CVE-2017-7528MedAug 22, 2018
    risk 0.34cvss 5.2epss 0.01

    Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).

  • CVE-2026-3848MedMar 11, 2026
    risk 0.33cvss 5.0epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to…

  • CVE-2015-9097MedJun 12, 2017
    risk 0.33cvss 6.1epss 0.03

    The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

  • CVE-2015-9096MedJun 12, 2017
    risk 0.33cvss 6.1epss 0.04

    Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

  • CVE-2016-4993MedSep 26, 2016
    risk 0.33cvss 6.1epss 0.03

    CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified…

  • CVE-2026-0672MedJan 20, 2026
    risk 0.32cvss epss 0.00

    When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

  • CVE-2025-15282MedJan 20, 2026
    risk 0.32cvss epss 0.00

    User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

  • CVE-2014-9563MedApr 12, 2018
    risk 0.32cvss 4.9epss 0.01

    CRLF injection vulnerability in the web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allows remote authenticated users to modify the root password and consequently access the debug port using the…