Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header...

7.3 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.

The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,

GET /path\r\nHTTP/1.1\r\nHost: secret.example.com

Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

Basic Information

ID CVE-2026-9658

Source CPANSec

Published May 28, 2026 at 11:36

Modified Jun 1, 2026 at 18:00

Affected Product

Vendor RRWO

Product Plack::Middleware::Security::Common

Affected Versions RRWO Plack::Middleware::Security::Common 0

CWE Classification

CWE-790 CWE-113

References

metacpan.org /release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes

{
    "lastseen": "",
    "description": "Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.\n\nThe header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,\n\n  GET /path\\r\\nHTTP/1.1\\r\\nHost: secret.example.com\n\nNote that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.",
    "published": "2026-05-28T11:36:50.565Z",
    "modified": "2026-06-01T18:00:18.515Z",
    "type": "cve",
    "title": "Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths",
    "source": "CPANSec",
    "references": "https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes",
    "id": "CVE-2026-9658",
    "bulletinFamily": "",
    "cwe": [
        "CWE-790",
        "CWE-113"
    ],
    "cvelist": null,
    "sourceData": "RRWO Plack::Middleware::Security::Common 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Plack::Middleware::Security::Common",
    "version": "0",
    "vendor": "RRWO",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths_CVE-2026-9658