CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CVE-2026-43882 (GCVE-0-2026-43882)
Vulnerability from cvelistv5 – Published: 2026-05-11 20:40 – Updated: 2026-05-13 14:39
VLAI
Title
WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
Summary
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines — including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim's calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix.
Severity
4.3 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/WWBN/AVideo/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/WWBN/AVideo/commit/764db592f99… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43882",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:05:03.419322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:39:21.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c= 29.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines \u2014 including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim\u0027s trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim\u0027s calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:40:53.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv"
},
{
"name": "https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5"
}
],
"source": {
"advisory": "GHSA-mwgh-92m2-wvhv",
"discovery": "UNKNOWN"
},
"title": "WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-43882",
"datePublished": "2026-05-11T20:40:53.428Z",
"dateReserved": "2026-05-04T15:17:09.329Z",
"dateUpdated": "2026-05-13T14:39:21.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43968 (GCVE-0-2026-43968)
Vulnerability from cvelistv5 – Published: 2026-05-11 18:06 – Updated: 2026-05-12 12:11
VLAI
Title
CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.
cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.
This issue affects cowlib from 2.6.0 before 2.16.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43968.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43968 | related |
| https://github.com/ninenines/cowlib/commit/6165fc… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:57:13.541982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:57:38.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_sse"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_sse.erl"
],
"programRoutines": [
{
"name": "cow_sse:event/1"
},
{
"name": "cow_sse:event_id/1"
},
{
"name": "cow_sse:event_name/1"
},
{
"name": "cow_sse:event_data/1"
},
{
"name": "cow_sse:event_comment/1"
},
{
"name": "cow_sse:prefix_lines/2"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "2.6.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_sse"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_sse.erl"
],
"programRoutines": [
{
"name": "cow_sse:event/1"
},
{
"name": "cow_sse:event_id/1"
},
{
"name": "cow_sse:event_name/1"
},
{
"name": "cow_sse:event_data/1"
},
{
"name": "cow_sse:event_comment/1"
},
{
"name": "cow_sse:prefix_lines/2"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "6165fc40efa159ba1cceee7e7981e790acba5d9c",
"status": "affected",
"version": "93b2b897cde238506c803faad4d1602d79dba7c9",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must pass user-controlled data as the \u003ctt\u003eid\u003c/tt\u003e, \u003ctt\u003eevent\u003c/tt\u003e, \u003ctt\u003edata\u003c/tt\u003e, or \u003ctt\u003ecomment\u003c/tt\u003e field to \u003ctt\u003ecow_sse:event/1\u003c/tt\u003e (or a higher-level wrapper such as \u003ctt\u003ecowboy_req:stream_events/3\u003c/tt\u003e). Applications that construct SSE events exclusively from trusted, application-controlled values are not affected.\u003c/p\u003e"
}
],
"value": "The application must pass user-controlled data as the id, event, data, or comment field to cow_sse:event/1 (or a higher-level wrapper such as cowboy_req:stream_events/3). Applications that construct SSE events exclusively from trusted, application-controlled values are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.16.1",
"versionStartIncluding": "2.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_sse:event/1\u003c/tt\u003e in cowlib guards the \u003ctt\u003eid\u003c/tt\u003e and \u003ctt\u003eevent\u003c/tt\u003e fields against \u003ctt\u003e\\n\u003c/tt\u003e but not against bare \u003ctt\u003e\\r\u003c/tt\u003e, and the internal \u003ctt\u003eprefix_lines/2\u003c/tt\u003e function used for \u003ctt\u003edata\u003c/tt\u003e and \u003ctt\u003ecomment\u003c/tt\u003e fields splits only on \u003ctt\u003e\\n\u003c/tt\u003e. Because the SSE specification requires decoders to treat \u003ctt\u003e\\r\\n\u003c/tt\u003e, \u003ctt\u003e\\r\u003c/tt\u003e, and \u003ctt\u003e\\n\u003c/tt\u003e as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser \u003ctt\u003eEventSource\u003c/tt\u003e clients or other SSE consumers dispatch on \u003ctt\u003eevent.type\u003c/tt\u003e and render \u003ctt\u003eevent.data\u003c/tt\u003e, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 2.6.0 before 2.16.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\n\ncow_sse:event/1 in cowlib guards the id and event fields against \\n but not against bare \\r, and the internal prefix_lines/2 function used for data and comment fields splits only on \\n. Because the SSE specification requires decoders to treat \\r\\n, \\r, and \\n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\n\nThis issue affects cowlib from 2.6.0 before 2.16.1."
}
],
"impacts": [
{
"capecId": "CAPEC-34",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-34 HTTP Response Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:11:43.388Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43968.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43968"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSanitize user-controlled values before passing them to \u003ctt\u003ecow_sse:event/1\u003c/tt\u003e: reject or strip any value containing \u003ctt\u003e\\r\u003c/tt\u003e or \u003ctt\u003e\\n\u003c/tt\u003e characters in the \u003ctt\u003eid\u003c/tt\u003e, \u003ctt\u003eevent\u003c/tt\u003e, \u003ctt\u003edata\u003c/tt\u003e, and \u003ctt\u003ecomment\u003c/tt\u003e fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.\u003c/p\u003e"
}
],
"value": "Sanitize user-controlled values before passing them to cow_sse:event/1: reject or strip any value containing \\r or \\n characters in the id, event, data, and comment fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43968",
"datePublished": "2026-05-11T18:06:42.881Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-12T12:11:43.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43969 (GCVE-0-2026-43969)
Vulnerability from cvelistv5 – Published: 2026-05-11 18:06 – Updated: 2026-05-12 04:26
VLAI
Title
Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.
cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.
This issue affects cowlib from 2.9.0.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43969.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43969 | related |
| https://github.com/erlef/cowlib/commit/177953dd51… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43969",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:55:16.028478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:55:26.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_cookie"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_cookie.erl"
],
"programRoutines": [
{
"name": "cow_cookie:cookie/1"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"status": "affected",
"version": "2.9.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_cookie"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_cookie.erl"
],
"programRoutines": [
{
"name": "cow_cookie:cookie/1"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"status": "affected",
"version": "f017f8a0ecbffd5033d9ab49bf180186f7a523a7",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must pass attacker-controlled bytes as cookie names or values to \u003ctt\u003ecow_cookie:cookie/1\u003c/tt\u003e. Applications that construct cookie lists exclusively from trusted, application-controlled values are not affected.\u003c/p\u003e"
}
],
"value": "The application must pass attacker-controlled bytes as cookie names or values to cow_cookie:cookie/1. Applications that construct cookie lists exclusively from trusted, application-controlled values are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_cookie:cookie/1\u003c/tt\u003e in cowlib builds a client-side \u003ctt\u003eCookie:\u003c/tt\u003e request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject \u003ctt\u003e;\u003c/tt\u003e, \u003ctt\u003e,\u003c/tt\u003e, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting \u003ctt\u003e; admin=1\u003c/tt\u003e to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (\u003ctt\u003eparse_cookie_name/1\u003c/tt\u003e, \u003ctt\u003eparse_cookie_value/1\u003c/tt\u003e) and \u003ctt\u003esetcookie/3\u003c/tt\u003e already validate and reject these characters; the encoder alone is missing the check.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 2.9.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.\n\ncow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting \"; admin=1\" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.\n\nThis issue affects cowlib from 2.9.0."
}
],
"impacts": [
{
"capecId": "CAPEC-105",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-105 HTTP Request Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T04:26:34.206Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43969.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43969"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlef/cowlib/commit/177953dd51540da11090666c1f007214127a1144"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eValidate inputs into \u003ctt\u003ecow_cookie:cookie/1\u003c/tt\u003e to only include valid cookie name and value characters as defined in RFC 6265 Section 4.1.1 before passing them to the function.\u003c/p\u003e"
}
],
"value": "Validate inputs into cow_cookie:cookie/1 to only include valid cookie name and value characters as defined in RFC 6265 Section 4.1.1 before passing them to the function."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43969",
"datePublished": "2026-05-11T18:06:40.667Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-12T04:26:34.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44214 (GCVE-0-2026-44214)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:34 – Updated: 2026-05-27 13:19
VLAI
Title
eventsource-encoder: SSE event injection via unsanitized event and id fields
Summary
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.
Severity
5.8 (Medium)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/rexxars/eventsource-encoder/se… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rexxars | eventsource-encoder |
Affected:
< 1.0.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44214",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:19:24.561615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:19:45.558Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "eventsource-encoder",
"vendor": "rexxars",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\\n, \\r, or \\r\\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:34:32.273Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx"
}
],
"source": {
"advisory": "GHSA-m9g3-3g99-mhpx",
"discovery": "UNKNOWN"
},
"title": "eventsource-encoder: SSE event injection via unsanitized event and id fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44214",
"datePublished": "2026-05-26T19:34:32.273Z",
"dateReserved": "2026-05-05T15:13:47.572Z",
"dateUpdated": "2026-05-27T13:19:45.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44217 (GCVE-0-2026-44217)
Vulnerability from cvelistv5 – Published: 2026-05-12 19:51 – Updated: 2026-05-14 19:52
VLAI
Title
sse-channel: SSE Injection via unsanitized event fields
Summary
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/rexxars/sse-channel/security/a… | x_refsource_CONFIRM |
| https://github.com/rexxars/sse-channel/issues/42 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rexxars | sse-channel |
Affected:
< 4.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T19:50:24.505003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:52:02.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sse-channel",
"vendor": "rexxars",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:51:06.910Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg"
},
{
"name": "https://github.com/rexxars/sse-channel/issues/42",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rexxars/sse-channel/issues/42"
}
],
"source": {
"advisory": "GHSA-84hm-wfh8-c5pg",
"discovery": "UNKNOWN"
},
"title": "sse-channel: SSE Injection via unsanitized event fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44217",
"datePublished": "2026-05-12T19:51:06.910Z",
"dateReserved": "2026-05-05T15:13:47.572Z",
"dateUpdated": "2026-05-14T19:52:02.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46719 (GCVE-0-2026-46719)
Vulnerability from cvelistv5 – Published: 2026-05-16 13:37 – Updated: 2026-05-19 12:51
VLAI
Title
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections
Summary
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.
The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Severity
6.5 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/RRWO/Net-Statsd-Lite… | release-notes |
| https://github.com/robrwo/Net-Statsd-Lite/commit/… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| RRWO | Net::Statsd::Lite |
Affected:
0 , < 0.9.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-16T20:15:59.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/16/9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46719",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T12:51:17.582054Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:51:28.945Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-Statsd-Lite",
"product": "Net::Statsd::Lite",
"programRoutines": [
{
"name": "Net::Statsd::Lite::record_metric"
}
],
"repo": "https://github.com/robrwo/Net-Statsd-Lite",
"vendor": "RRWO",
"versions": [
{
"lessThan": "0.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.\n\nThe metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T13:37:22.000Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Net::Statsd::Lite version 0.9.0 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-14T00:00:00.000Z",
"value": "Issue reported to CPANSec"
},
{
"lang": "en",
"time": "2026-05-15T00:00:00.000Z",
"value": "Author notified"
},
{
"lang": "en",
"time": "2026-05-16T00:00:00.000Z",
"value": "Fix released"
}
],
"title": "Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch.\n\nAlternatively, validate that all metrics sent to the client based on untrusted data do not contain metric injections."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-46719",
"datePublished": "2026-05-16T13:37:22.000Z",
"dateReserved": "2026-05-16T00:56:00.338Z",
"dateUpdated": "2026-05-19T12:51:28.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46720 (GCVE-0-2026-46720)
Vulnerability from cvelistv5 – Published: 2026-05-17 17:51 – Updated: 2026-05-26 22:47
VLAI
Title
Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections
Summary
Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections.
The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Severity
8.2 (High)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/RRWO/Net-Statsd-Tiny… | release-notes |
| https://github.com/robrwo/Net-Statsd-Tiny/commit/… | patch |
| https://www.cve.org/CVERecord?id=CVE-2026-46719 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| RRWO | Net::Statsd::Tiny |
Affected:
0 , < 0.3.8
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46720",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T12:54:22.223047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T12:54:25.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-Statsd-Tiny",
"product": "Net::Statsd::Tiny",
"programRoutines": [
{
"name": "Net::Statsd::Tiny::_record"
}
],
"repo": "https://github.com/robrwo/Net-Statsd-Tiny",
"vendor": "RRWO",
"versions": [
{
"lessThan": "0.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections.\n\nThe metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T22:47:36.662Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/RRWO/Net-Statsd-Tiny-v0.3.8/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/robrwo/Net-Statsd-Tiny/commit/06f814f52fbcc0b2afddf7a2d6f8137fd3cede13.patch"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Net::Statsd::Tiny version 0.3.8 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-14T00:00:00.000Z",
"value": "Issue reported to CPANSec"
},
{
"lang": "en",
"time": "2026-05-15T00:00:00.000Z",
"value": "Author notified"
},
{
"lang": "en",
"time": "2026-05-17T00:00:00.000Z",
"value": "Fix released"
}
],
"title": "Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch.\n\nAlternatively, validate that all metrics and setr values sent to the client based on untrusted data do not contain metric injections\n\nThis is the same issue CVE-2026-46719 that affected Net::Statsd::Lite."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-46720",
"datePublished": "2026-05-17T17:51:41.133Z",
"dateReserved": "2026-05-16T00:56:00.338Z",
"dateUpdated": "2026-05-26T22:47:36.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46740 (GCVE-0-2026-46740)
Vulnerability from cvelistv5 – Published: 2026-05-26 22:48 – Updated: 2026-05-28 14:20
VLAI
Title
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections
Summary
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections.
The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Version 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720).
Severity
5.3 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/RRWO/Mojolicious-Plu… | release-notes |
| https://github.com/robrwo/perl-Mojolicious-Plugin… | patch |
| https://www.cve.org/CVERecord?id=CVE-2026-46720 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| RRWO | Mojolicious::Plugin::Statsd |
Affected:
0 , ≤ 0.04
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T14:20:31.875781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:20:34.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Mojolicious-Plugin-Statsd",
"product": "Mojolicious::Plugin::Statsd",
"repo": "https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd",
"vendor": "RRWO",
"versions": [
{
"lessThanOrEqual": "0.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections.\n\nThe metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\n\nVersion 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T22:48:03.747Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd/commit/f049156982a2c0b8050f173e24a04a29ddd64853.patch"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Mojolicious::Plugin::Statsd version 0.06 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-46740",
"datePublished": "2026-05-26T22:48:03.747Z",
"dateReserved": "2026-05-17T18:04:31.500Z",
"dateUpdated": "2026-05-28T14:20:34.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47069 (GCVE-0-2026-47069)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-27 15:40
VLAI
Title
CRLF injection in cookie domain/path options in hackney
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option — for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path — can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response.
This issue affects hackney: from 0.9.0 before 4.0.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47069.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47069 | related |
| https://github.com/benoitc/hackney/commit/8e02b99… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47069",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:57:10.763778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:57:18.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_cookie"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_cookie.erl"
],
"programRoutines": [
{
"name": "hackney_cookie:setcookie/3"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_cookie"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_cookie.erl"
],
"programRoutines": [
{
"name": "hackney_cookie:setcookie/3"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540",
"status": "affected",
"version": "602d5c7f2ea4acbc83ed75230655d935a0750ebc",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "0.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in benoitc hackney allows HTTP Response Splitting.\u003cp\u003eThe \u003ctt\u003ehackney_cookie:setcookie/3\u003c/tt\u003e function in \u003ctt\u003esrc/hackney_cookie.erl\u003c/tt\u003e validates the \u003ctt\u003eName\u003c/tt\u003e and \u003ctt\u003eValue\u003c/tt\u003e arguments against CRLF and control characters, but concatenates the \u003ctt\u003edomain\u003c/tt\u003e and \u003ctt\u003epath\u003c/tt\u003e options verbatim into the output iolist with no equivalent check. An attacker who controls either option \u2014 for example by supplying a \u003ctt\u003eHost\u003c/tt\u003e header value forwarded as the cookie domain, or a request path forwarded as the cookie path \u2014 can inject a literal CRLF sequence and arbitrary additional \u003ctt\u003eSet-Cookie\u003c/tt\u003e headers into the HTTP response.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 0.9.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option \u2014 for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path \u2014 can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response.\n\nThis issue affects hackney: from 0.9.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-34",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-34 HTTP Response Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:40:38.975Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47069.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47069"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CRLF injection in cookie domain/path options in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47069",
"datePublished": "2026-05-25T14:00:39.394Z",
"dateReserved": "2026-05-18T17:28:08.322Z",
"dateUpdated": "2026-05-27T15:40:38.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47072 (GCVE-0-2026-47072)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-27 15:41
VLAI
Title
CRLF injection in WebSocket upgrade request in hackney
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.
This issue affects hackney: from 2.0.0 before 4.0.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47072.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47072 | related |
| https://github.com/benoitc/hackney/commit/52310ca… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47072",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:46:12.092004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:46:14.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_ws"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_ws.erl"
],
"programRoutines": [
{
"name": "hackney_ws:do_handshake/1"
},
{
"name": "hackney_ws:init/1"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_ws"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_ws.erl"
],
"programRoutines": [
{
"name": "hackney_ws:do_handshake/1"
},
{
"name": "hackney_ws:init/1"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "52310ca807e7b48441ba0e9129171f535313fdd1",
"status": "affected",
"version": "690cecaf236fba49526da404a5bc889a24367a3e",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in benoitc hackney allows HTTP Request/Response Splitting.\u003cp\u003eThe WebSocket upgrade code in \u003ctt\u003esrc/hackney_ws.erl\u003c/tt\u003e copies the \u003ctt\u003ehost\u003c/tt\u003e, \u003ctt\u003epath\u003c/tt\u003e, \u003ctt\u003eheaders\u003c/tt\u003e (ExtraHeaders), and \u003ctt\u003eprotocols\u003c/tt\u003e options from the caller-supplied opts map into the internal \u003ctt\u003e#ws_data{}\u003c/tt\u003e record in \u003ctt\u003einit/1\u003c/tt\u003e and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in \u003ctt\u003edo_handshake/1\u003c/tt\u003e. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options \u2014 for example by forwarding URL components or header values from untrusted input into \u003ctt\u003ehackney_ws:start_link/1\u003c/tt\u003e \u2014 can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 2.0.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options \u2014 for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 \u2014 can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.\n\nThis issue affects hackney: from 2.0.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:41:24.863Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47072.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47072"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CRLF injection in WebSocket upgrade request in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47072",
"datePublished": "2026-05-25T14:00:47.852Z",
"dateReserved": "2026-05-18T17:28:08.322Z",
"dateUpdated": "2026-05-27T15:41:24.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- Avoid using CRLF as a special sequence.
Mitigation
Phase: Implementation
Description:
- Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.