5.8

CVE-2026-1536

Exploit

Libsoup: libsoup: http header injection or response splitting via crlf injection in content-disposition header

A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GnomeLibsoup Version-
RedhatEnterprise Linux Version6.0
RedhatEnterprise Linux Version7.0
RedhatEnterprise Linux Version8.0
RedhatEnterprise Linux Version9.0
RedhatEnterprise Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.3% 0.212
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
secalert@redhat.com 5.8 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

https://access.redhat.com/security/cve/CVE-2026-1536
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2433834
Third Party Advisory
Issue Tracking
https://gitlab.gnome.org/GNOME/libsoup/-/issues/486
Vendor Advisory
Exploit
Issue Tracking