CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

135 vulnerabilities with CWE-93
CVE-2026-5140 HIGH
Authorization Bypass in TUBITAK BILGEM's Pardus Update
CVSS 8.8
CVE-2026-42037 MEDIUM
Axios 1.0.0-1.15.0 - Header Injection
CVSS 5.3
CVE-2026-41230 HIGH
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
CVSS 8.5
CVE-2026-2717 MEDIUM
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values
CVSS 5.5
CVE-2026-32964 MEDIUM
silex technology SD-330AC <=Ver.1.42 - CRLF Injection
CVSS 6.5
CVE-2026-6351 HIGH
Openfind|MailGates/MailAudit - CRLF Injection
CVSS 7.5
CVE-2026-2400 MEDIUM
Schneider Electric PowerChute Serial Shutdown <=1.4 - CRLF Injection
CVSS 4.3
CVE-2026-35601 MEDIUM
Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output
CVSS 4.1
CVE-2026-39983 HIGH
FTP Command Injection via CRLF in basic-ftp
CVSS 8.6
CVE-2026-39958 CRITICAL
oma-topic: name Field in Topic Manifests (topic.json) May Allow CRLF Injection
CVSS 9.1
CVE-2026-39394 HIGH
CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller
CVSS 8.1
CVE-2026-35521 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
CVSS 8.8
CVE-2026-35520 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection
CVSS 8.8
CVE-2026-35519 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection
CVSS 8.8
CVE-2026-35518 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
CVSS 8.8
CVE-2026-35517 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection
CVSS 8.8
CVE-2026-34975 HIGH
Plunk has a CRLF Email Header Injection in raw MIME message construction allows authenticated API user to inject arbitrary email headers
CVSS 8.5
CVE-2026-26962 MEDIUM
Rack: Header injection in multipart requests
CVSS 4.8
CVE-2026-2442 MEDIUM
Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email'
CVSS 5.3
CVE-2026-33635 MEDIUM
iCalendar has ICS injection via unsanitized URI property values
CVSS 4.3
CVE-2026-20113 MEDIUM
Cisco IOS XE Software <16.6.1 - CRLF Injection
CVSS 5.3
CVE-2026-28753 LOW
NGINX ngx_mail_proxy_module vulnerability
CVSS 3.7
CVE-2026-33128 HIGH
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
CVSS 7.5
CVE-2026-3634 LOW
Libsoup: libsoup: http header injection and response splitting via crlf injection in content-type header
CVSS 3.9
CVE-2026-3633 LOW
Libsoup: libsoup: header and http request injection via crlf injection
CVSS 3.9
Details
Vulnerabilities 135
Links
MITRE CWE Entry Search this CWE With Exploits