CVE-2026-43968

EPSS 0.22%
Veröffentlicht 11.05.2026 18:06:42
Zuletzt bearbeitet 21.05.2026 13:59:07
Quelle 6b3ad84c-e1a6-4bf7-a703-f496b7
CVE-Watchlists
Login
Unerledigt
Login

CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.

cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.

This issue affects cowlib from 2.6.0 before 2.16.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ninenines ≫ Cowlib Version >= 2.6.0 < 2.16.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.12

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	6.3	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

https://cna.erlef.org/cves/CVE-2026-43968.html

Vendor Advisory

https://osv.dev/vulnerability/EEF-CVE-2026-43968

Third Party Advisory

https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-43968

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-43968

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-43968

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-43968