CVE-2026-9658 | THREATINT

Description

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

PUBLISHED Reserved 2026-05-26 | Published 2026-05-28 | Updated 2026-05-28 | Assigner CPANSec

Problem types

CWE-790 Improper Filtering of Special Elements

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers

Product status

Default status

unaffected

Any version before 0.13.1

affected

References

metacpan.org/...k-Middleware-Security-Simple-v0.13.1/changes release-notes

cve.org (CVE-2026-9658)

nvd.nist.gov (CVE-2026-9658)

Download JSON