CVE-2026-3633
LOWLibsoup: libsoup: header and http request injection via crlf injection
Title source: cnaDescription
A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.
References (3)
Core 3
Core References
Vdb Entry, X_Refsource_Redhat vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-3633
Issue Tracking, X_Refsource_Redhat issue-tracking
x_refsource_redhat
RHBZ#2445128
https://bugzilla.redhat.com/show_bug.cgi?id=2445128
Scores
CVSS v3
3.9
EPSS
0.0022
EPSS Percentile
12.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-93
Status
published
Products (11)
gnome/libsoup
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 6
Red Hat/Red Hat Enterprise Linux 7
Red Hat/Red Hat Enterprise Linux 8
Red Hat/Red Hat Enterprise Linux 9
redhat/enterprise_linux
6.0
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
redhat/enterprise_linux
9.0
... and 1 more
Published
Mar 17, 2026
Tracked Since
Mar 17, 2026