CWE-93— CRLF Injection
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.— MITRE CWE catalog
161 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-93page 3 of 4
- CVE-2026-28296MEDIUMCVSS 4.3EG 4.32026-02-26
A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences …
- CVE-2026-32964MEDIUMCVSS 6.5EG 6.52026-04-20
SD-330AC and AMC Manager provided by silex technology, Inc. contain an improper neutralization of CRLF sequences ('CRLF Injection') vulnerability. Processing some crafted configuration data may lead to arbitrary entries injected to the sys…
- CVE-2026-32993HIGHCVSS 8.3EG 8.32026-05-13
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
- CVE-2026-34458HIGHCVSS 8.8EG 8.82026-05-05
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPass…
- CVE-2026-34975HIGHCVSS 8.5EG 8.52026-04-06
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attach…
- CVE-2026-35504MEDIUMCVSS 5.5EG 5.52026-05-12
PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.
- CVE-2026-35517HIGHCVSS 8.8EG 8.82026-04-07
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers conf…
- CVE-2026-35518HIGHCVSS 8.8EG 8.82026-04-07
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configu…
- CVE-2026-35519HIGHCVSS 8.8EG 8.82026-04-07
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configura…
- CVE-2026-35520HIGHCVSS 8.8EG 8.82026-04-07
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configura…
- CVE-2026-35521HIGHCVSS 8.8EG 8.82026-04-07
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration …
- CVE-2026-35601MEDIUMCVSS 4.1EG 4.12026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task tit…
- CVE-2026-3848MEDIUMCVSS 5.0EG 5.02026-03-11
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy envi…
- CVE-2026-39394HIGHCVSS 8.1EG 8.12026-04-08
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any vali…
- CVE-2026-39849HIGHCVSS 8.8EG 8.82026-05-05
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an att…
- CVE-2026-39958CRITICALCVSS 9.1EG 9.12026-04-09
oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named "Topic Manifests" ({mirror}/debs/manifest/topics.json) from remote repository servers, registeri…
- CVE-2026-39983HIGHCVSS 8.6EG 8.62026-04-09
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), l…
- CVE-2026-41230HIGHCVSS 8.5EG 8.52026-04-23
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not…
- CVE-2026-41417MEDIUMCVSS 5.3EG 5.32026-05-06
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would bre…
- CVE-2026-41570HIGHCVSS 7.8EG 7.82026-05-08
PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metachara…
- CVE-2026-42037MEDIUMCVSS 5.3EG 5.32026-04-24
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart …
- CVE-2026-42257CRITICALCVSS 9.8EG 9.82026-05-09
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation o…
- CVE-2026-42258MEDIUMCVSS 5.3EG 5.32026-05-09
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arg…
- CVE-2026-42578HIGHCVSS 7.5EG 2.92026-05-13
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() me…
- CVE-2026-42586MEDIUMCVSS 6.8EG 6.82026-05-13
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without…
- CVE-2026-43882MEDIUMCVSS 4.3EG 4.32026-05-11
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloa…
- CVE-2026-43968MEDIUMCVSS 4.0EG 4.02026-05-11
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cow_sse:event/1 in cowlib guards the id and event fields against \n but …
- CVE-2026-43969LOWCVSS 3.2EG 3.22026-05-11
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-…
- CVE-2026-44214MEDIUMCVSS 5.8EG 5.82026-05-26
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who …
- CVE-2026-44217MEDIUMCVSS 6.6EG 6.62026-05-12
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing…
- CVE-2026-45372CRITICALCVSS 9.9EG 9.92026-05-29
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The val…
- CVE-2026-46719MEDIUMCVSS 6.5EG 6.52026-05-16
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
- CVE-2026-46720HIGHCVSS 8.2EG 8.22026-05-17
Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
- CVE-2026-46739MEDIUMCVSS 5.3EG 5.32026-06-04
Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The update_stats (used fo…
- CVE-2026-46740MEDIUMCVSS 5.3EG 5.32026-05-26
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd …
- CVE-2026-46741HIGHCVSS 7.5EG 7.52026-06-04
Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note tha…
- CVE-2026-47069MEDIUMCVSS 5.3EG 5.32026-05-25
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against …
- CVE-2026-47072HIGHCVSS 7.5EG 7.52026-05-25
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and proto…
- CVE-2026-47075HIGHCVSS 7.5EG 7.52026-05-25
Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the …
- CVE-2026-47240MEDIUMCVSS 5.8EG 5.82026-06-09
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injecti…
- CVE-2026-47242MEDIUMCVSS 5.8EG 5.82026-06-09
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id is called with a hash argument, although the ID field value strings are correctly quoted (escaping quot…
- CVE-2026-48861LOWCVSS 2.1EG 2.12026-06-02
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling. In lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-s…
- CVE-2026-49130MEDIUMCVSS 5.3EG 5.32026-05-28
Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicio…
- CVE-2026-49214MEDIUMCVSS 5.3EG 5.32026-06-11
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application acc…
- CVE-2026-49756LOWCVSS 2.1EG 2.12026-06-08
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part …
- CVE-2026-50188MEDIUMCVSS 6.9EG 6.92026-06-18
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request(), Remote::get(), and Remote::post(), to send outgoing HTTP requests with unt…
- CVE-2026-50269HIGHCVSS 7.5EG 7.52026-06-15
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In …
- CVE-2026-50292CRITICALCVSS 9.8EG 7.42026-06-04
In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
- CVE-2026-50629MEDIUMCVSS 5.3EG 8.22026-06-12
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, i…
- CVE-2026-50637HIGHCVSS 8.2EG 8.22026-06-10
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics, separated by newlines, to be sent per packet. The send method does not va…
Map vulnerabilities like CWE-93 to your infrastructure
EchelonGraph correlates every CVE — across CWE-93 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →