CVE-2026-9658
Deferred Deferred - Pending Action
Header Injection in Plack Middleware Security Common

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: CPANSec

Description
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9658
EUVD
EUVD-2026-32892
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
plack middleware to 0.13.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CWE-790 The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Plack::Middleware::Security::Common versions before 0.13.1 for Perl. It fails to block header injections in request paths effectively.

Specifically, the rule intended to block header injections does not work unless the injections are double-encoded. For example, an attacker could send a request like GET /path\r\nHTTP/1.1\r\nHost: secret.example.com to inject headers.

It is also unclear how reverse proxies or Plack-based servers handle such request paths containing CRLF sequences followed by additional headers.

Impact Analysis

This vulnerability can allow an attacker to perform header injection attacks by inserting malicious headers into HTTP requests.

Such injections could potentially manipulate how requests are processed by servers or proxies, possibly leading to security issues like request smuggling, cache poisoning, or unauthorized access.

However, the exact impact depends on how the affected servers and proxies handle these malformed requests, which is unclear.

Compliance Impact

The provided information does not specify how CVE-2026-9658 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves header injections in request paths using CRLF sequences that are not properly blocked by Plack::Middleware::Security::Common versions before 0.13.1.

To detect this vulnerability on your network or system, you can monitor HTTP requests for suspicious CRLF injection patterns in the request paths, such as sequences like \r\n followed by additional headers.

For example, you can use network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests and search for CRLF sequences in the request paths.

  • Using tcpdump to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 443'
  • Using grep or similar tools to search for CRLF injection patterns in logs or captured traffic.

Additionally, reviewing server logs for unusual request paths containing CRLF sequences may help identify exploitation attempts.

Mitigation Strategies

The recommended immediate mitigation is to upgrade Plack::Middleware::Security::Common to version 0.13.1 or later, where the header injection vulnerability is fixed.

As a workaround before upgrading, you can enable the non_printable_chars rule to block header injections.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9658. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart