Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-113

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Parent: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

82 vulnerabilities with CWE-113

CVE-2026-42035 HIGH

Axios: Header Injection via Prototype Pollution

CVE-2026-39971 HIGH

Serendipity: Host Header Injection leads to SMTP header injection via unvalidated HTTP_HOST

CVE-2026-40175 MEDIUM

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

CVE-2026-34767 MEDIUM

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

CVE-2026-34715 MEDIUM

ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)

CVE-2026-34520 CRITICAL

AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass

CVE-2026-34519 MEDIUM

AIOHTTP: HTTP response splitting via \r in reason phrase

CVE-2026-34514 MEDIUM

AIOHTTP: CRLF injection in multipart part content type header construction

CVE-2026-27810 MEDIUM

calibre <9.4.0 - HTTP Response Header Injection

CVE-2026-24320 LOW

SAP NetWeaver - Memory Corruption

CVE-2026-23686 LOW

SAP NetWeaver Application Server Java - CRLF Injection

CVE-2026-24489 MEDIUM

Gakido <0.1.1 - Command Injection

CVE-2026-22779 MEDIUM

BlackSheep <2.4.6 - CRLF Injection

CVE-2025-55271 LOW

HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability

CVE-2025-59151 HIGH

Pi-hole Web Interface < 6.3 - XSS

CVE-2025-61689 HIGH

HTTP.jl <1.10.19 - CRLF-based Header Injection

CVE-2025-40927 HIGH

CGI::Simple <1.282 - XSS

CVE-2025-42934 MEDIUM

SAP S/4HANA - CRLF Injection

CVE-2025-53094 HIGH

ESPAsyncWebServer <3.7.8 - CRLF Injection

CVE-2025-53007 HIGH

Arduino-esp32 <3.3.0-RC1, <3.2.1 - SSRF

CVE-2025-52479 HIGH

HTTP.jl <1.10.17 & URIs.jl <1.6.0 - CRLF Injection

CVE-2025-41234 MEDIUM

Spring Framework <6.0.5, 6.1.x, 6.2.x - RFD

CVE-2025-30221 MEDIUM

Pitchfork <0.11.0 - HTTP Response Header Injection

CVE-2025-0588 MEDIUM

Octopus Server - DoS

CVE-2025-0825 MEDIUM

Yhirose Cpp-httplib < 0.18.4 - XSS

Page 1 of 4 Next

Details

Vulnerabilities 82

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy