CVE-2026-9679

undici vulnerability CVE-2026-9679 affects the cookie parsing paths (parseSetCookie, parseCookie, getSetCookies). The cookie parser percent-decodes values (via qsUnescape), turning sequences like %0D%0A, %00, %3B, and %3D into literal bytes. RFC 6265 §5.4 does not require decoding and browsers do...

CVE-2026-38967

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values...

CVE-2026-38967

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values...

Crow 安全漏洞

Crow is a C++ microframework developed by Crow OpenSource, used for running web services. Versions of Crow 1.3.1 and earlier contain security vulnerabilities; these vulnerabilities stem from unvalidated response header values, which may lead to response header injection attacks...

CVE-2026-34767

CVE-2026-34767 affects Electron before 38.8.6, 39.8.3, 40.8.3, and 41.0.3. It describes HTTP response header injection when apps register custom protocol handlers (protocol.handle / protocol.registerSchemesAsPrivileged) or modify headers via webRequest.onHeadersReceived if attacker-controlled inp...

EUVD-2026-18933

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest...

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

Impact Apps that register custom protocol handlers via protocol.handle / protocol.registerSchemesAsPrivileged or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or...

EUVD-2018-3384

Malware in sbrugna...

GHSA-PFQJ-W6R6-G86V Pitchfork HTTP Request/Response Splitting vulnerability

Impact HTTP Response Header Injection in Pitchfork Versions 0.11.0 when used in conjunction with Rack 3 Patches The issue was fixed in Pitchfork release 0.11.0 Workarounds There are no known work arounds. Users must upgrade...

CVE-2025-30221

Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available...

CVE-2025-30221 Pitchfork HTTP Request/Response Splitting vulnerability

Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available...

Pitchfork HTTP Request/Response Splitting vulnerability

Impact HTTP Response Header Injection in Pitchfork Versions 0.11.0 when used in conjunction with Rack 3 Patches The issue was fixed in Pitchfork release 0.11.0 Workarounds There are no known work arounds. Users must upgrade...

Ubuntu 20.04 LTS : Firefox vulnerabilities (USN-6649-1)

The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6649-1 advisory. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially explo...

Shopify: HTTP Response Header Injection in shopify/pitchfork + Rack 3

The HTTP response header injection vulnerability was discovered in the Pitchfork library version 0.10.0 when used with Rack 3. The issue stemmed from improper handling of header values containing newline characters in the appendheader method of the HTTP response module. When Rack 3 was used, the...

CVE-2020-24275

A HTTP response header injection vulnerability in Swoole v4.5.2 allows attackers to execute arbitrary code via supplying a crafted URL...

CVE-2020-24275

A HTTP response header injection vulnerability in Swoole v4.5.2 allows attackers to execute arbitrary code via supplying a crafted URL...

resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class

A flaw was found in Resteasy, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed...

Design/Logic Flaw

The YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to inject, into the response from the server, one or several HTTP Header. It requires an interaction with the user to send him the malicious link. It could be used to...

CVE-2018-11347

The YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to inject, into the response from the server, one or several HTTP Header. It requires an interaction with the user to send him the malicious link. It could be used to...

CVE-2018-11347

The CVE-2018-11347 entry concerns the YunoHost web application (versions 2.7.2 through 2.7.14). Affected component/issue: HTTP Response Header Injection, enabling an attacker to inject one or more HTTP headers in server responses. Attack requirements: user interaction is needed (the attacker must...