Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-113

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Parent: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

97 vulnerabilities with CWE-113

CVE-2026-23686 LOW

SAP NetWeaver Application Server Java - CRLF Injection

CVE-2026-24489 MEDIUM

Gakido < 0.1.1 - HTTP Header Injection via CRLF Sequence

CVE-2026-22779 MEDIUM

BlackSheep < 2.4.6 - HTTP Request/Response Splitting via CRLF Injection

CVE-2025-55271 LOW

HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability

CVE-2025-59151 HIGH

Pi-hole Web Interface < 6.3 - HTTP Response Splitting via .lp File Redirect

CVE-2025-61689 HIGH

HTTP.jl <1.10.19 - CRLF-based Header Injection

CVE-2025-40927 HIGH

CGI::Simple < 1.282 - HTTP Response Splitting via URL-Encoded Parameter Injection

CVE-2025-42934 MEDIUM

SAP S/4HANA Supplier invoice - Authenticated CRLF Injection via Trusted Sites Configuration

CVE-2025-53094 HIGH

ESPAsyncWebServer <3.7.8 - CRLF Injection

CVE-2025-53007 HIGH

Arduino-esp32 <3.3.0-RC1, <3.2.1 - SSRF

CVE-2025-52479 HIGH

HTTP.jl <1.10.17 & URIs.jl <1.6.0 - CRLF Injection

CVE-2025-41234 MEDIUM

Spring Framework <6.0.5, 6.1.x, 6.2.x - RFD

CVE-2025-30221 MEDIUM

Pitchfork <0.11.0 - HTTP Response Header Injection

CVE-2025-0588 MEDIUM

Octopus Server 2020.1.0-2024.3.13097 - Denial of Service via Crafted Referrer Header

CVE-2025-0825 MEDIUM

cpp-httplib 0.17.3-0.18.3 - HTTP Response Splitting via Null Byte Prefixed CRLF Injection

CVE-2024-52875 HIGH

GFI Kerio Control 9.2.5-9.4.5 - HTTP Response Splitting via Dest Parameter

CVE-2024-45687 LOW

Payara Platform <6.21.0 - HTTP Request/Response Splitting

CVE-2024-54021 MEDIUM

FortiOS 7.2.0-7.6.0 and FortiProxy 7.2.0-7.4.5 - Unauthenticated HTTP Response Splitting via Crafted Headers

CVE-2024-42487 MEDIUM

Cilium <1.15.8-1.16.1 - Info Disclosure

CVE-2024-40324 MEDIUM

E-Staff <5.1 - HTTP Response Splitting

CVE-2024-20392 MEDIUM

Cisco AsyncOS - Unauthenticated HTTP Response Splitting via Web Management API

CVE-2024-24795 MEDIUM

Apache HTTP Server 2.4.0-2.4.58 - HTTP Response Splitting via Malicious Response Headers

CVE-2024-23644 MEDIUM

Trillium < 0.5.4 and trillium-http < 0.3.12 - HTTP Request/Response Splitting via Header Injection

CVE-2023-48256 MEDIUM

Bosch NEXO-OS 1000-1500-sp2 - HTTP Response Splitting via Crafted URL

CVE-2023-26147 MEDIUM

ithewei libhv - HTTP Response Splitting via CRLF Injection

Previous Page 2 of 4 Next

Details

Vulnerabilities 97

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy