CVE-2026-54163
Received Received - Intake

Content-Security-Policy Injection in secure_headers

Vulnerability report for CVE-2026-54163, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

secure_headers manages application of security headers with many safe defaults. Prior to 7.3.0, secure_headers builds the Content-Security-Policy value by stitching directives with ; separators, and build_sandbox_list_directive, build_media_type_list_directive, and build_report_to_directive interpolate caller-supplied strings without scrubbing ;, \r, or \n. When untrusted input reaches SecureHeaders.override_content_security_policy_directives or append APIs for :sandbox, :plugin_types, or :report_to, an attacker can inject a CSP directive such as script-src 'unsafe-inline' * before the legitimate script-src, enabling XSS reachability through these sinks or CSP report exfiltration. This issue is fixed in version 7.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
secure_headers secure_headers 7.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the secure_headers gem before version 7.3.0. It allows attackers to inject malicious directives into Content-Security-Policy headers by exploiting improper input sanitization. Specifically, semicolons, carriage returns, or newlines in untrusted input can be used to insert harmful CSP rules like script-src 'unsafe-inline' * before legitimate ones, enabling cross-site scripting (XSS) attacks or data exfiltration through CSP reports.

Detection Guidance

Check if your system uses secure_headers gem version prior to 7.3.0. Run: gem list secure_headers. If version is less than 7.3.0, the system is vulnerable.

Impact Analysis

If you use the vulnerable version of secure_headers, attackers could exploit this flaw to bypass security controls. This may allow them to execute malicious scripts on your site (XSS), steal sensitive data via CSP reports, or manipulate security policies to weaken protections. Users of affected applications could face data breaches, account takeovers, or other security incidents.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR, HIPAA, and other regulations by enabling data breaches or unauthorized access to sensitive information. Failure to protect user data through proper security headers may result in legal penalties, reputational damage, and loss of trust. Organizations must address this issue to maintain compliance with data protection requirements.

Mitigation Strategies

Upgrade secure_headers gem to version 7.3.0 or later. Run: gem update secure_headers. Review CSP directives for unexpected script-src or other malicious injections.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart