Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)) — Vulnerability Class 107

107 vulnerabilities classified as CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)). AI Chinese analysis included.

CWE-93 represents a critical input validation weakness where applications fail to properly sanitize Carriage Return and Line Feed characters within user-supplied data. This vulnerability typically enables attackers to inject malicious HTTP headers or split response lines, facilitating attacks such as HTTP response splitting, session fixation, or cross-site scripting. By manipulating these control characters, adversaries can alter the structure of web responses, potentially redirecting users to phishing sites or injecting malicious scripts into the browser context. To mitigate this risk, developers must rigorously validate and sanitize all input fields, specifically filtering out or encoding CRLF sequences before processing. Implementing strict allow-lists for acceptable characters and utilizing framework-provided encoding functions ensures that these control characters are neutralized, thereby preserving the integrity of HTTP headers and preventing unauthorized manipulation of application logic.

MITRE CWE Description
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Common Consequences (1)
IntegrityModify Application Data
Mitigations (2)
ImplementationAvoid using CRLF as a special sequence.
ImplementationAppropriately filter or quote CRLF sequences in user-controlled input.
Examples (2)
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment …
name: Deploy Preview jobs: deploy: runs-on: ubuntu-latest steps: - name: 'Download artifact' uses: actions/github-script with: script: | var artifacts = await github.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{ github.event.workflow_run.id }}, }); var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "pr" })[0]; var downloadPr = await github.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchPrArtifact.id, archive_format: 'zip', }); var fs = require('fs');
Bad · Other
\nNODE_OPTIONS="--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//"
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2026-48861 CRLF injection in HTTP/1 request line via unvalidated method in Mint — mint--2026-06-02
CVE-2026-45372 cpp-httplib: HTTP header value percent-decoding in server-side `parse_header` enables CRLF injection — cpp-httplib 9.9 Critical2026-05-29
CVE-2026-49130 Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx — MPD 5.3 Medium2026-05-28
CVE-2026-46740 Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections — Mojolicious::Plugin::Statsd--2026-05-26
CVE-2026-44214 eventsource-encoder: SSE event injection via unsanitized event and id fields — eventsource-encoder 5.8 Medium2026-05-26
CVE-2026-47072 CRLF injection in WebSocket upgrade request in hackney — hackney--2026-05-25
CVE-2026-47075 CR/LF injection in query parameter in hackney — hackney--2026-05-25
CVE-2026-47069 CRLF injection in cookie domain/path options in hackney — hackney--2026-05-25
CVE-2026-8788 Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections — Net::Statsd::Lite--2026-05-18
CVE-2026-46720 Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections — Net::Statsd::Tiny--2026-05-17
CVE-2026-46719 Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections — Net::Statsd::Lite--2026-05-16
CVE-2026-32993 cPanel 注入漏洞 — cPanel 8.3 High2026-05-13
CVE-2026-42586 Netty: CRLF Injection in Netty Redis Codec Encoder — netty 6.8 Medium2026-05-13
CVE-2026-35504 Subnet Solutions PowerSYSTEM Center CRLF injection — PowerSYSTEM Center 2020 5.5 Medium2026-05-12
CVE-2026-44217 sse-channel: SSE Injection via unsanitized event fields — sse-channel--2026-05-12
CVE-2026-43882 WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing — AVideo 4.3 Medium2026-05-11
CVE-2026-43968 CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1 — cowlib--2026-05-11
CVE-2026-43969 Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1 — cowlib--2026-05-11
CVE-2026-42257 net-imap: Command Injection via "raw" arguments to multiple commands — net-imap 6.5 -2026-05-09
CVE-2026-41570 PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes — phpunit 7.8 High2026-05-08
CVE-2026-41417 Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri() — netty 5.3 Medium2026-05-06
CVE-2026-39849 Pi-hole FTL remote code execution via newline injection in dns.interface configuration — FTL 8.8 -2026-05-05
CVE-2026-34458 Sandboxie-Plus privilege escalation via INI CRLF injection bypassing EditAdminOnly — Sandboxie 7.8 -2026-05-05
CVE-2026-5140 Authorization Bypass in TUBITAK BILGEM's Pardus Update — Pardus Update 8.8 High2026-04-29
CVE-2026-42037 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream — axios 5.3 Medium2026-04-24
CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() — froxlor 8.5 High2026-04-23
CVE-2026-2717 HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values — HTTP Headers 5.5 Medium2026-04-22
CVE-2026-32964 Silex SD-330AC和Silex AMC Manager 安全漏洞 — SD-330AC 6.5 Medium2026-04-20
CVE-2026-6351 Openfind|MailGates/MailAudit - CRLF Injection — MailGates 7.5 High2026-04-16
CVE-2026-2400 Schneider Electric PowerChute Serial Shutdown 注入漏洞 — PowerChute™ Serial Shutdown 4.5 -2026-04-14

Vulnerabilities classified as CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)) represent 107 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.