Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-93

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

174 vulnerabilities with CWE-93

CVE-2026-35520 HIGH

Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection

CVE-2026-35519 HIGH

Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection

CVE-2026-35518 HIGH

Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection

CVE-2026-35517 HIGH

Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection

CVE-2026-34975 HIGH

Plunk <0.8.0 Raw MIME Construction - Email Header Injection

CVE-2026-26962 MEDIUM

Rack: Header injection in multipart requests

CVE-2026-2442 MEDIUM

Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email'

CVE-2026-33635 MEDIUM

iCalendar has ICS injection via unsanitized URI property values

CVE-2026-20113 MEDIUM

Cisco IOS XE Software <16.6.1 - CRLF Injection

CVE-2026-28753 LOW

NGINX ngx_mail_proxy_module vulnerability

CVE-2026-33128 HIGH

h3 Event Stream Fields - Server-Sent Events Injection

CVE-2026-3634 LOW

Libsoup: libsoup: http header injection and response splitting via crlf injection in content-type header

CVE-2026-3633 LOW

Libsoup: libsoup: header and http request injection via crlf injection

CVE-2026-1527 MEDIUM

undici < 6.24.0 and 7.0.0-7.23.9 - HTTP Request Smuggling via CRLF Injection in Upgrade Header

CVE-2026-3234 MEDIUM

mod_proxy_cluster - CRLF Injection via decodeenc() Function

CVE-2026-3848 MEDIUM

GitLab CE/EE 8.11-18.7.5, 18.8.x < 18.8.6, 18.9.x < 18.9.2 - Internal Request Forgery via Import

CVE-2026-30227 MEDIUM

MimeKit <4.15.1 - SMTP Command Injection

CVE-2026-29046 HIGH

TinyWeb < 2.04 - CGI Environment Variable Injection via Header Parsing

CVE-2026-28296 MEDIUM

GVfs FTP Backend - Command Injection

CVE-2026-1714 HIGH

ShopLentor WooCommerce Builder - Email Relay Abuse

CVE-2026-1536 MEDIUM

Libsoup - HTTP Header Injection

CVE-2026-1467 MEDIUM

Libsoup - CRLF Injection

CVE-2026-24489 MEDIUM

Gakido < 0.1.1 - HTTP Header Injection via CRLF Sequence

CVE-2026-1299 MEDIUM

CPython email module - CRLF Injection in BytesGenerator Header Serialization

CVE-2026-23953 HIGH

Incus < 6.0.5 and 6.1.0-6.20.0 - Authenticated Remote Code Execution via Environment Variable Newline Injection

Previous Page 3 of 7 Next

Details

Vulnerabilities 174

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy