CWE-644— Improper Neutralization of HTTP Headers for Scripting Syntax
The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.— MITRE CWE catalog
55 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-644page 2 of 2
- CVE-2026-33805HIGHCVSS 8.6EG 8.62026-04-15
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip pr…
- CVE-2026-4096MEDIUMCVSS 6.1EG 6.52026-06-11
IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-…
- CVE-2026-48126HIGHCVSS 8.2EG 8.22026-05-26
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory b…
- CVE-2026-54477MEDIUMCVSS 5.4EG 5.42026-07-03
The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks.
- CVE-2026-55791MEDIUMCVSS 6.9EG 6.92026-06-19
Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /a…
Map vulnerabilities like CWE-644 to your infrastructure
EchelonGraph correlates every CVE — across CWE-644 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →