CVE-2026-47069 CRLF injection in cookie domain/path options in hackney

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Response Splitting. The hackneycookie:setcookie/3 function in src/hackneycookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and...

HTTP Response Splitting

Overview eventsource-encoder is an Encodes events as well-formed EventSource/Server Sent Event SSE messages Affected versions of this package are vulnerable to HTTP Response Splitting via unsanitized event and id fields in the encoding process. An attacker can inject arbitrary Server-Sent Events...

Astra Linux - уязвимость в ruby2.5

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allow HTTP response splitting. This is relevant for applications that use untrusted user input, either to generate an HTTP response or to create a CGI::Cookie object...

GHSA-C3H8-G69V-PJRG i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the MailAddressParser.TryParseAddress function due to improper neutralisation of CRLF sequences. An attacker can impersonate another user or entity by sending specially crafted data over the network...

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the MailAddressParser.TryParseAddress function due to improper neutralisation of CRLF sequences. An attacker can impersonate another user or entity by sending specially crafted data over the network...

GHSA-MWH4-6H8G-PG8W AIOHTTP has HTTP response splitting via \r in reason phrase

Summary An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. Impact In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the...

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting in the construction of multipart request headers when untrusted input is used for the contenttype parameter. An attacker can inject arbitrary headers or manipulate HTTP requests by supplying specially crafted...

CVE-2026-34519 AIOHTTP: HTTP response splitting via \r in reason phrase

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...

PT-2026-28296

Name of the Vulnerable Software and Affected Versions HCL Aftermarket DPC affected versions not specified Description HCL Aftermarket DPC is susceptible to an HTTP Response Splitting issue. The impact of this issue depends on how the web application processes split responses, potentially allowing...

CVE-2024-40324

A CRLF injection vulnerability in E-Staff v5.1 allows attackers to insert Carriage Return CR and Line Feed LF characters into input fields, leading to HTTP response splitting and header manipulation...

PT-2024-20800 · Kickdler · Kickdler

Name of the Vulnerable Software and Affected Versions: Kickdler versions prior to 1.107.0 Description: The issue allows attackers to provide an XSS payload via a HTTP response splitting attack. Recommendations: For versions prior to 1.107.0, update to version 1.107.0 or later to resolve the issue...

Important: ruby

Issue Overview: The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. CVE-2021-33621 Affected Packages:...

UBUNTU-CVE-2021-33621

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object...

PT-2022-11403 · Asus · Asus Rt-Ax88U

Name of the Vulnerable Software and Affected Versions: ASUS RT-AX88U versions prior to 3.0.0.4.388.20558 Description: The issue allows an attacker to perform an HTTP response splitting attack, enabling them to craft a specific URL. If an authenticated victim visits this URL, it grants the attacke...

CVE-2022-37240

MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to HTTP Response splitting via the format parameter...

IBM Cloud Orchestrator HTTP Response Splitting Vulnerability (CNVD-2019-39202)

IBM Cloud Orchestrator is a suite of cloud management solutions from IBM in the United States. The program provides extended internal and external deployment of cloud services and application program interfaces and tools to extend the integration with existing environments and other functions. An...

CVE-2019-15259

A vulnerability in Cisco Unified Contact Center Express UCCX Software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system...

CVE-2017-12308

A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation ...

CVE-2017-1291

IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attack...