CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CVE-2026-22777 (GCVE-0-2026-22777)
Vulnerability from cvelistv5 – Published: 2026-01-10 06:43 – Updated: 2026-01-12 13:22
VLAI
Title
ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler
Summary
ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5.
Severity
7.5 (High)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Comfy-Org/ComfyUI-Manager/secu… | x_refsource_CONFIRM |
| https://github.com/Comfy-Org/ComfyUI-Manager/comm… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Comfy-Org | ComfyUI-Manager |
Affected:
>= 4.0.0, < 4.0.5
Affected: < 3.39.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T13:22:21.429246Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T13:22:32.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ComfyUI-Manager",
"vendor": "Comfy-Org",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003c 3.39.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T06:43:21.579Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2"
},
{
"name": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410"
}
],
"source": {
"advisory": "GHSA-562r-8445-54r2",
"discovery": "UNKNOWN"
},
"title": "ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22777",
"datePublished": "2026-01-10T06:43:21.579Z",
"dateReserved": "2026-01-09T18:27:19.388Z",
"dateUpdated": "2026-01-12T13:22:32.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23829 (GCVE-0-2026-23829)
Vulnerability from cvelistv5 – Published: 2026-01-18 23:23 – Updated: 2026-01-20 20:08
VLAI
Title
Mailpit has SMTP Header Injection via Regex Bypass
Summary
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
Severity
5.3 (Medium)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/36cc06c… | x_refsource_MISC |
| https://github.com/axllent/mailpit/releases/tag/v1.28.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23829",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:08:32.596156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:08:41.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.28.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit\u0027s SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\\r` and `\\n` when used inside a character class. Version 1.28.3 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T18:59:54.087Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c"
},
{
"name": "https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534"
},
{
"name": "https://github.com/axllent/mailpit/releases/tag/v1.28.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/releases/tag/v1.28.3"
}
],
"source": {
"advisory": "GHSA-54wq-72mp-cq7c",
"discovery": "UNKNOWN"
},
"title": "Mailpit has SMTP Header Injection via Regex Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23829",
"datePublished": "2026-01-18T23:23:04.176Z",
"dateReserved": "2026-01-16T15:46:40.841Z",
"dateUpdated": "2026-01-20T20:08:41.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23953 (GCVE-0-2026-23953)
Vulnerability from cvelistv5 – Published: 2026-01-22 21:39 – Updated: 2026-01-26 21:00
VLAI
Title
Incus container environment configuration newline injection
Summary
Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6
and 6.21.0, but they have not been released at the time of publication.
Severity
8.7 (High)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/lxc/incus/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/lxc/incus/blob/HEAD/internal/s… | x_refsource_MISC |
| https://github.com/user-attachments/files/2447368… | x_refsource_MISC |
| https://github.com/user-attachments/files/2447368… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23953",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T21:00:32.625486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T21:00:46.311Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "incus",
"vendor": "lxc",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.1.0, \u003c= 6.20.0"
},
{
"status": "affected",
"version": "\u003c= 6.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the \u2018incus\u2019 group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container\u2019s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6\nand 6.21.0, but they have not been released at the time of publication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T21:39:41.015Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lxc/incus/security/advisories/GHSA-x6jc-phwx-hp32",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lxc/incus/security/advisories/GHSA-x6jc-phwx-hp32"
},
{
"name": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081"
},
{
"name": "https://github.com/user-attachments/files/24473682/environment_newline_injection.sh",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/24473682/environment_newline_injection.sh"
},
{
"name": "https://github.com/user-attachments/files/24473685/environment_newline_injection.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/files/24473685/environment_newline_injection.patch"
}
],
"source": {
"advisory": "GHSA-x6jc-phwx-hp32",
"discovery": "UNKNOWN"
},
"title": "Incus container environment configuration newline injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23953",
"datePublished": "2026-01-22T21:39:41.015Z",
"dateReserved": "2026-01-19T14:49:06.312Z",
"dateUpdated": "2026-01-26T21:00:46.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2400 (GCVE-0-2026-2400)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:22 – Updated: 2026-04-14 16:27
VLAI
Summary
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions 1.4 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T16:23:35.812067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:27:22.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions 1.4 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload."
}
],
"value": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:22:53.245Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-2400",
"datePublished": "2026-04-14T15:22:53.245Z",
"dateReserved": "2026-02-12T13:17:07.149Z",
"dateUpdated": "2026-04-14T16:27:22.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2442 (GCVE-0-2026-2442)
Vulnerability from cvelistv5 – Published: 2026-03-28 09:27 – Updated: 2026-04-08 17:24
VLAI
Title
Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email'
Summary
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.
Severity
5.3 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| softaculous | Page Builder: Pagelayer – Drag and Drop website builder |
Affected:
0 , ≤ 2.0.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2442",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T18:27:13.988527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T18:27:20.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder",
"vendor": "softaculous",
"versions": [
{
"lessThanOrEqual": "2.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the \u0027email\u0027 parameter granted they can target a contact form configured to use placeholders in mail template headers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:19.051Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce101aad-10a3-4a8c-9f4a-0e38e35b4dab?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3464204/pagelayer"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-13T01:38:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-27T20:45:22.000Z",
"value": "Disclosed"
}
],
"title": "Pagelayer \u003c= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via \u0027email\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2442",
"datePublished": "2026-03-28T09:27:10.474Z",
"dateReserved": "2026-02-13T01:21:59.845Z",
"dateUpdated": "2026-04-08T17:24:19.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24489 (GCVE-0-2026-24489)
Vulnerability from cvelistv5 – Published: 2026-01-27 00:36 – Updated: 2026-01-27 14:46
VLAI
Title
Gakido vulnerable to HTTP Header Injection (CRLF Injection)
Summary
Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests.
Severity
5.3 (Medium)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/HappyHackingSpace/gakido/secur… | x_refsource_CONFIRM |
| https://github.com/HappyHackingSpace/gakido/commi… | x_refsource_MISC |
| https://github.com/HappyHackingSpace/gakido/relea… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HappyHackingSpace | gakido |
Affected:
< 0.1.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24489",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T14:46:28.507941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T14:46:42.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gakido",
"vendor": "HappyHackingSpace",
"versions": [
{
"status": "affected",
"version": "\u003c 0.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\\r\\n` (CRLF), `\\n` (LF), or `\\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\\r`, `\\n`, and `\\x00` characters from both header names and values before they are included in HTTP requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T00:36:34.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9"
},
{
"name": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788"
},
{
"name": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019"
}
],
"source": {
"advisory": "GHSA-gcgx-chcp-hxp9",
"discovery": "UNKNOWN"
},
"title": "Gakido vulnerable to HTTP Header Injection (CRLF Injection)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24489",
"datePublished": "2026-01-27T00:36:34.230Z",
"dateReserved": "2026-01-23T00:38:20.548Z",
"dateUpdated": "2026-01-27T14:46:42.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26962 (GCVE-0-2026-26962)
Vulnerability from cvelistv5 – Published: 2026-04-02 17:10 – Updated: 2026-04-03 18:13
VLAI
Title
Rack: Header injection in multipart requests
Summary
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.
Severity
4.8 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/rack/rack/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:31:17.511210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T18:13:06.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:10:17.091Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv"
}
],
"source": {
"advisory": "GHSA-rx22-g9mx-qrhv",
"discovery": "UNKNOWN"
},
"title": "Rack: Header injection in multipart requests"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26962",
"datePublished": "2026-04-02T17:10:17.091Z",
"dateReserved": "2026-02-16T22:20:28.612Z",
"dateUpdated": "2026-04-03T18:13:06.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2717 (GCVE-0-2026-2717)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 18:29
VLAI
Title
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values
Summary
The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service.
Severity
5.5 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zinoui | HTTP Headers |
Affected:
0 , ≤ 1.19.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T18:29:07.769656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:29:28.392Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HTTP Headers",
"vendor": "zinoui",
"versions": [
{
"lessThanOrEqual": "1.19.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kai Aizen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the \u0027Custom Headers\u0027 settings, leading to Apache configuration parse errors and potential site-wide denial of service."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:37.169Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7716e77f-e899-4046-9421-86fc0c36c245?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1098"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1098"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L745"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L745"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:13:17.000Z",
"value": "Disclosed"
}
],
"title": "HTTP Headers \u003c= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2717",
"datePublished": "2026-04-22T07:45:37.169Z",
"dateReserved": "2026-02-18T21:00:50.620Z",
"dateUpdated": "2026-04-22T18:29:28.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28296 (GCVE-0-2026-28296)
Vulnerability from cvelistv5 – Published: 2026-02-26 15:10 – Updated: 2026-02-26 18:23
VLAI
Title
Gvfs: ftp gvfs backend: arbitrary ftp command injection via crlf sequences in file paths
Summary
A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.
Severity
4.3 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-28296 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2443003 | issue-trackingx_refsource_REDHAT |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
Date Public
2026-02-26 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T18:22:57.299756Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:23:09.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "gvfs",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"packageName": "gvfs",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"packageName": "gvfs",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "gvfs",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "gvfs",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Codean Labs for reporting this issue."
}
],
"datePublic": "2026-02-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:10:47.917Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-28296"
},
{
"name": "RHBZ#2443003",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443003"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-26T13:34:03.961Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-26T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Gvfs: ftp gvfs backend: arbitrary ftp command injection via crlf sequences in file paths",
"workarounds": [
{
"lang": "en",
"value": "To reduce the risk associated with this vulnerability, users should avoid connecting to untrusted FTP servers or opening FTP links from unverified sources. Implementing network-level restrictions, such as firewall rules, to limit outbound connections to only trusted FTP servers can further mitigate potential exposure. If the GVfs FTP backend is not essential for daily operations, consider removing or disabling packages that provide this functionality, though this action may affect other desktop environment features that rely on GVfs for FTP access."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-28296",
"datePublished": "2026-02-26T15:10:47.917Z",
"dateReserved": "2026-02-26T13:34:41.532Z",
"dateUpdated": "2026-02-26T18:23:09.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28753 (GCVE-0-2026-28753)
Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-24 15:24
VLAI
Title
NGINX ngx_mail_proxy_module vulnerability
Summary
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000160367 | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Open Source |
Affected:
1.29.0 , < 1.29.7
(semver)
Affected: 0.6.27 , < 1.28.3 (semver) |
|
| F5 | NGINX Plus |
Affected:
R36 , < R36 P3
(custom)
Affected: R35 , < R35 P2 (custom) Affected: R34 , < * (custom) Affected: R33 , < * (custom) Affected: R32 , < R32 P5 (custom) |
Date Public
2026-03-24 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T15:24:28.689685Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:24:34.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_mail_proxy_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.29.7",
"status": "affected",
"version": "1.29.0",
"versionType": "semver"
},
{
"lessThan": "1.28.3",
"status": "affected",
"version": "0.6.27",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unknown",
"modules": [
"ngx_mail_proxy_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "R36 P3",
"status": "affected",
"version": "R36",
"versionType": "custom"
},
{
"lessThan": "R35 P2",
"status": "affected",
"version": "R35",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "R34",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "R33",
"versionType": "custom"
},
{
"lessThan": "R32 P5",
"status": "affected",
"version": "R32",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Asim Viladi Oglu Manizada"
},
{
"lang": "en",
"type": "reporter",
"value": "Colin Warren"
},
{
"lang": "en",
"type": "reporter",
"value": "Xiao Liu (Yunnan University)"
},
{
"lang": "en",
"type": "reporter",
"value": "Yuan Tan (UC Riverside)"
},
{
"lang": "en",
"type": "reporter",
"value": "Bird Liu (Lanzhou University)"
}
],
"datePublic": "2026-03-24T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:49:49.169Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000160367"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NGINX ngx_mail_proxy_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-28753",
"datePublished": "2026-03-24T14:13:26.107Z",
"dateReserved": "2026-03-18T16:06:38.435Z",
"dateUpdated": "2026-03-24T15:24:34.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- Avoid using CRLF as a special sequence.
Mitigation
Phase: Implementation
Description:
- Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.