CVE-2026-7010

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch
https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes
http://www.openwall.com/lists/oss-security/2026/05/11/17

Configurations

No configuration.

History

12 May 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

12 May 2026, 00:17

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2026/05/11/17 -

11 May 2026, 22:22

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-11 22:22

Updated : 2026-06-17 11:01

NVD link : CVE-2026-7010

Mitre link : CVE-2026-7010

CVE.ORG link : CVE-2026-7010

JSON object : View

Products Affected

No product.

CWE

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

{"id": "CVE-2026-7010", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-7010", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-12T14:43:55.536998Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "affected": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "affectedData": [{"repo": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny", "vendor": "HAARG", "product": "HTTP::Tiny", "versions": [{"status": "affected", "version": "0", "lessThan": "0.093", "versionType": "custom"}], "packageName": "HTTP-Tiny", "programFiles": ["lib/HTTP/Tiny.pm"], "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected"}]}], "published": "2026-05-11T22:22:14.750", "references": [{"url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/11/17", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-113"}]}], "descriptions": [{"lang": "en", "value": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.\n\nThe unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values.\n\nAn attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server."}], "lastModified": "2026-06-17T11:01:37.993", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}