CVE-2026-9658

Published: Mag 28, 2026 Last Modified: Mag 28, 2026

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.

The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,

GET /path\r\nHTTP/1.1\r\nHost: secret.example.com

Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Access Control

Potential Impacts:

Modify Application Data Gain Privileges Or Assume Identity

Applicable Platforms

Technologies: Web Based, Web Server

View CWE Details

790

Improper Filtering of Special Elements

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity

Potential Impacts:

Unexpected State

Applicable Platforms

All platforms may be affected

View CWE Details

https://metacpan.org/release/RRWO/Plack-Middleware-Security…

https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/chan…

CVE-2026-9658

Description

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Common Consequences

Applicable Platforms

Improper Filtering of Special Elements

Common Consequences

Applicable Platforms

Iscriviti alla newsletter