CVE-2026-1536

MEDIUM

Libsoup - HTTP Header Injection

Title source: llm

Description

A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.

References (3)

https://gitlab.gnome.org/GNOME/libsoup/-/issues/486

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2026-1536

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2433834

Scores

CVSS v3 5.8

EPSS 0.0011

EPSS Percentile 29.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (11)

gnome/libsoup

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

redhat/enterprise_linux 6.0

redhat/enterprise_linux 7.0

redhat/enterprise_linux 8.0

redhat/enterprise_linux 9.0

... and 1 more

Published Jan 28, 2026

Tracked Since Feb 18, 2026