CVE-2026-3633 Libsoup: libsoup: header and http request injection via crlf injection

🗓️ 17 Mar 2026 09:44:19Reported by redhatType

CVE-2026-3633: Libsoup CRLF injection via soup_message_new() method enables header and request data injection.

Reporter	Title	Published	Views	Family All 15
ATTACKERKB	CVE-2026-3633	17 Mar 202609:44	–	attackerkb
CNNVD	libsoup 注入漏洞	17 Mar 202600:00	–	cnnvd
CVE	CVE-2026-3633	17 Mar 202609:44	–	cve
Debian CVE	CVE-2026-3633	17 Mar 202609:44	–	debiancve
EUVD	EUVD-2026-12560	17 Mar 202612:30	–	euvd
NVD	CVE-2026-3633	17 Mar 202610:16	–	nvd
OSV	DEBIAN-CVE-2026-3633	17 Mar 202610:16	–	osv
OSV	ECHO-13F8-D7EC-BFEF	1 Jun 202607:29	–	osv
OSV	UBUNTU-CVE-2026-3633	17 Mar 202610:16	–	osv
RedhatCVE	CVE-2026-3633	6 Mar 202608:35	–	redhatcve

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 10",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "libsoup3",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:10"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 6",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "libsoup",
    "defaultStatus": "unknown",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:6"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "libsoup",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "libsoup",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "libsoup",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:9"
    ]
  }
]

Source	Link
access	www.access.redhat.com/security/cve/CVE-2026-3633
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
gitlab	www.gitlab.gnome.org/GNOME/libsoup/-/issues/484

19 Mar 2026 20:57Current

CVSS 3.13.9

EPSS0.00048

CWE-93