CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Description
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-15 · CAPEC-81
CVEs mapped to this weakness (143)
page 5 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-9679 | mod | 0.31 | 5.9 | 0.00 | Jun 17, 2026 | undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding | ||
| CVE-2026-44214 | Med | 0.31 | 5.8 | 0.00 | May 26, 2026 | eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject… | ||
| CVE-2026-1502 | Med | 0.30 | — | 0.00 | Apr 10, 2026 | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | ||
| CVE-2025-11468 | Med | 0.30 | — | 0.01 | Jan 20, 2026 | When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. | ||
| CVE-2025-59419 | Med | 0.29 | — | 0.02 | Oct 15, 2025 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n)… | ||
| CVE-2026-2400 | Med | 0.28 | 4.3 | 0.00 | Apr 14, 2026 | CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload. | ||
| CVE-2026-28296 | Med | 0.28 | 4.3 | 0.00 | Feb 26, 2026 | A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended… | ||
| CVE-2025-14531 | Med | 0.28 | 4.3 | 0.00 | Dec 11, 2025 | A vulnerability was found in code-projects Rental Management System 2.0. This affects an unknown function of the file Transaction.java of the component Log Handler. Performing manipulation results in crlf injection. The attack can be initiated remotely. The exploit has been made… | ||
| CVE-2018-12537 | — | Med | 0.28 | 5.3 | 0.02 | Aug 14, 2018 | In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response. | |
| CVE-2026-49214 | Med | 0.27 | 5.3 | 0.00 | Jun 11, 2026 | guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the… | ||
| CVE-2026-46739 | Med | 0.27 | 5.3 | 0.00 | Jun 4, 2026 | Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The update_stats (used for updating counters) and gauge methods… | ||
| CVE-2026-49130 | Med | 0.27 | 5.3 | 0.00 | May 28, 2026 | Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric… | ||
| CVE-2026-46740 | Med | 0.27 | 5.3 | 0.00 | May 26, 2026 | Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the… | ||
| CVE-2026-47069 | Med | 0.27 | 5.3 | 0.00 | May 25, 2026 | Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but… | ||
| CVE-2026-42037 | Med | 0.27 | 5.3 | 0.00 | Apr 24, 2026 | Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n)… | ||
| CVE-2026-2442 | Med | 0.27 | 5.3 | 0.00 | Mar 28, 2026 | The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder… | ||
| CVE-2026-24489 | Med | 0.27 | 5.3 | 0.00 | Jan 27, 2026 | Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.… | ||
| CVE-2026-26962 | Med | 0.24 | 4.8 | 0.00 | Apr 2, 2026 | Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values… | ||
| CVE-2018-12477 | Low | 0.23 | 3.5 | 0.01 | Oct 9, 2018 | A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to… | ||
| CVE-2026-43882 | Med | 0.21 | 4.3 | 0.00 | May 11, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar… |
- risk 0.31cvss 5.9epss 0.00
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
- risk 0.31cvss 5.8epss 0.00
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject…
- risk 0.30cvss —epss 0.00
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
- risk 0.30cvss —epss 0.01
When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.
- risk 0.29cvss —epss 0.02
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n)…
- risk 0.28cvss 4.3epss 0.00
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.
- risk 0.28cvss 4.3epss 0.00
A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended…
- risk 0.28cvss 4.3epss 0.00
A vulnerability was found in code-projects Rental Management System 2.0. This affects an unknown function of the file Transaction.java of the component Log Handler. Performing manipulation results in crlf injection. The attack can be initiated remotely. The exploit has been made…
- risk 0.28cvss 5.3epss 0.02
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
- risk 0.27cvss 5.3epss 0.00
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the…
- risk 0.27cvss 5.3epss 0.00
Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The update_stats (used for updating counters) and gauge methods…
- risk 0.27cvss 5.3epss 0.00
Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric…
- risk 0.27cvss 5.3epss 0.00
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the…
- risk 0.27cvss 5.3epss 0.00
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but…
- risk 0.27cvss 5.3epss 0.00
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n)…
- risk 0.27cvss 5.3epss 0.00
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder…
- risk 0.27cvss 5.3epss 0.00
Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.…
- risk 0.24cvss 4.8epss 0.00
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values…
- risk 0.23cvss 3.5epss 0.01
A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to…
- risk 0.21cvss 4.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar…