CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Parent: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

97 vulnerabilities with CWE-113
CVE-2026-50630 MEDIUM
Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection
CVSS 6.5
CVE-2026-44489 LOW
Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
CVSS 3.7
CVE-2026-49214 MEDIUM
guzzlehttp/psr7 has CRLF Injection via URI Host Component
CVSS 5.3
CVE-2026-43966 MEDIUM
HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2
CVE-2026-48596 LOW
CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection
CVE-2026-38967 CRITICAL
CrowCpp Crow <= 1.3.1 - HTTP Response Header Injection via Unvalidated Header Values
CVSS 9.8
CVE-2026-38978 MEDIUM
Transmission <= 4.1.1 - Clickjacking in WebUI and RPC Response Paths
CVSS 5.3
CVE-2026-47675 MEDIUM
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
CVSS 4.3
CVE-2026-9658 HIGH
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths
CVSS 7.3
CVE-2026-44214 MEDIUM
eventsource-encoder: SSE event injection via unsanitized event and id fields
CVSS 5.8
CVE-2026-42578 HIGH
Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation
CVSS 7.5
CVE-2026-7010 MEDIUM
HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values
CVSS 6.5
CVE-2026-42874 LOW
Microdot: HTTP response splitting in Response.set_cookie()
CVSS 3.7
CVE-2026-41683 HIGH
HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header
CVSS 8.6
CVE-2026-43870 HIGH
Apache Thrift: Node.js web_server.js multi-vulnerability
CVSS 7.3
CVE-2026-42035 HIGH
Axios: Header Injection via Prototype Pollution
CVSS 7.4
CVE-2026-39971 HIGH
Serendipity: Host Header Injection leads to SMTP header injection via unvalidated HTTP_HOST
CVSS 7.2
CVE-2026-40175 MEDIUM
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
CVSS 4.8
CVE-2026-34767 MEDIUM
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
CVSS 5.9
CVE-2026-34715 MEDIUM
ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)
CVSS 5.3
CVE-2026-34520 CRITICAL
AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass
CVSS 9.1
CVE-2026-34519 MEDIUM
AIOHTTP: HTTP response splitting via \r in reason phrase
CVSS 5.3
CVE-2026-34514 MEDIUM
AIOHTTP: CRLF injection in multipart part content type header construction
CVSS 5.3
CVE-2026-27810 MEDIUM
calibre <9.4.0 - HTTP Response Header Injection
CVSS 6.4
CVE-2026-24320 LOW
SAP NetWeaver AS ABAP Kernel - Memory Corruption via Crafted Input
CVSS 3.1
Details
Vulnerabilities 97
Links
MITRE CWE Entry Search this CWE With Exploits