CVE-2026-33523
HTTP Response Splitting in Apache HTTP Server
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | http_server | From 2.4.0 (inc) to 2.4.67 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-443 | This weakness can be found at CWE-113. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an HTTP response splitting issue found in multiple Apache HTTP Server modules when used with untrusted or compromised backend servers.
It affects Apache HTTP Server versions up to 2.4.66 and allows attackers to manipulate HTTP responses by injecting malicious headers or content.
Users are advised to upgrade to version 2.4.67 to fix this vulnerability.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform HTTP response splitting attacks, which may lead to web cache poisoning, cross-site scripting (XSS), or other malicious activities.
The CVSS score of 6.5 indicates a medium severity with potential impacts on confidentiality and integrity, but no impact on availability.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache HTTP Server to version 2.4.67, which fixes the HTTP response splitting vulnerability.