What is GHSA-xcq6-chp9-g954?

GHSA-xcq6-chp9-g954 is a security advisory published by GitHub Security Advisories with unknown severity. Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header...

Which CVE IDs does GHSA-xcq6-chp9-g954 cover?

GHSA-xcq6-chp9-g954 covers the following CVE IDs: CVE-2026-9658. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-xcq6-chp9-g954unknown

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header...

Vendor

GitHub Security Advisories

Published

May 28, 2026

Last Modified

May 28, 2026

🔗 CVE IDs covered (1)

CVE-2026-9658 →

📋 Description

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.

The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,

GET /path\r\nHTTP/1.1\r\nHost: secret.example.com

Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

🔗 References (3)

https://nvd.nist.gov/vuln/detail/CVE-2026-9658
https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes
https://github.com/advisories/GHSA-xcq6-chp9-g954