CVE-2026-9658

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes
http://www.openwall.com/lists/oss-security/2026/05/28/9

Configurations

No configuration.

History

01 Jun 2026, 19:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.3

28 May 2026, 23:16

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2026/05/28/9 -

28 May 2026, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-28 13:16

Updated : 2026-06-17 11:05

NVD link : CVE-2026-9658

Mitre link : CVE-2026-9658

CVE.ORG link : CVE-2026-9658

JSON object : View

Products Affected

No product.

CWE

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-790

Improper Filtering of Special Elements

{"id": "CVE-2026-9658", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-9658", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-01T18:00:08.268723Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "affected": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "affectedData": [{"repo": "https://github.com/robrwo/Plack-Middleware-Security-Simple", "vendor": "RRWO", "product": "Plack::Middleware::Security::Common", "versions": [{"status": "affected", "version": "0", "lessThan": "0.13.1", "versionType": "custom"}], "packageName": "Plack-Middleware-Security-Simple", "programFiles": ["lib/Plack/Middleware/Security/Common.pm"], "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "programRoutines": [{"name": "Plack::Middleware::Security::Common::header_injection"}]}]}], "published": "2026-05-28T13:16:25.067", "references": [{"url": "https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/28/9", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-113"}, {"lang": "en", "value": "CWE-790"}]}], "descriptions": [{"lang": "en", "value": "Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.\n\nThe header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,\n\n GET /path\\r\\nHTTP/1.1\\r\\nHost: secret.example.com\n\nNote that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers."}], "lastModified": "2026-06-17T11:05:34.307", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}