VYPR

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

BaseDraft

Description

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-15 · CAPEC-81

CVEs mapped to this weakness (143)

page 5 of 8
  • CVE-2026-9679modJun 17, 2026
    risk 0.31cvss 5.9epss 0.00

    undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

  • CVE-2026-44214MedMay 26, 2026
    risk 0.31cvss 5.8epss 0.00

    eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject…

  • CVE-2026-1502MedApr 10, 2026
    risk 0.30cvss epss 0.00

    CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

  • CVE-2025-11468MedJan 20, 2026
    risk 0.30cvss epss 0.01

    When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

  • CVE-2025-59419MedOct 15, 2025
    risk 0.29cvss epss 0.02

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n)…

  • CVE-2026-2400MedApr 14, 2026
    risk 0.28cvss 4.3epss 0.00

    CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.

  • CVE-2026-28296MedFeb 26, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended…

  • CVE-2025-14531MedDec 11, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in code-projects Rental Management System 2.0. This affects an unknown function of the file Transaction.java of the component Log Handler. Performing manipulation results in crlf injection. The attack can be initiated remotely. The exploit has been made…

  • CVE-2018-12537MedAug 14, 2018
    risk 0.28cvss 5.3epss 0.02

    In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

  • CVE-2026-49214MedJun 11, 2026
    risk 0.27cvss 5.3epss 0.00

    guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the…

  • CVE-2026-46739MedJun 4, 2026
    risk 0.27cvss 5.3epss 0.00

    Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The update_stats (used for updating counters) and gauge methods…

  • CVE-2026-49130MedMay 28, 2026
    risk 0.27cvss 5.3epss 0.00

    Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric…

  • CVE-2026-46740MedMay 26, 2026
    risk 0.27cvss 5.3epss 0.00

    Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the…

  • CVE-2026-47069MedMay 25, 2026
    risk 0.27cvss 5.3epss 0.00

    Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but…

  • CVE-2026-42037MedApr 24, 2026
    risk 0.27cvss 5.3epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n)…

  • CVE-2026-2442MedMar 28, 2026
    risk 0.27cvss 5.3epss 0.00

    The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder…

  • CVE-2026-24489MedJan 27, 2026
    risk 0.27cvss 5.3epss 0.00

    Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.…

  • CVE-2026-26962MedApr 2, 2026
    risk 0.24cvss 4.8epss 0.00

    Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values…

  • CVE-2018-12477LowOct 9, 2018
    risk 0.23cvss 3.5epss 0.01

    A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to…

  • CVE-2026-43882MedMay 11, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar…