CVE-2026-9658

HIGH

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths

Title source: cna

Description

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

References (2)

Core 2

Core References

Release Notes release-notes

https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/28/9

Scores

CVSS v3 7.3

EPSS 0.0023

EPSS Percentile 13.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-113 CWE-790

Status published

Products (1)

RRWO/Plack::Middleware::Security::Common < 0.13.1

Published May 28, 2026

Tracked Since May 28, 2026