CVE-2026-3633

LOW

Libsoup: libsoup: header and http request injection via crlf injection

Title source: cna

Description

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.

References (3)

https://gitlab.gnome.org/GNOME/libsoup/-/issues/484

[Vdb Entry, X_Refsource_Redhat] https://access.redhat.com/security/cve/CVE-2026-3633

[Issue Tracking, X_Refsource_Redhat] https://bugzilla.redhat.com/show_bug.cgi?id=2445128

Scores

CVSS v3 3.9

EPSS 0.0004

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (11)

gnome/libsoup

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

redhat/enterprise_linux 6.0

redhat/enterprise_linux 7.0

redhat/enterprise_linux 8.0

redhat/enterprise_linux 9.0

... and 1 more

Published Mar 17, 2026

Tracked Since Mar 17, 2026