Total
87 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-51981 | 2025-06-26 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The attacker can control all the HTTP data sent in the SSRF connection, but the attacker can not receive any data back from this connection. | |||||
| CVE-2025-52479 | 2025-06-26 | N/A | N/A | ||
| HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack. Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17, and users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix. As a workaround, manually validate any URIs before passing them on to functions in this package. | |||||
| CVE-2024-5193 | 1 Ritlabs | 1 Tinyweb | 2025-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been classified as problematic. Affected is an unknown function of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-265830 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-40671 | 2025-05-28 | N/A | N/A | ||
| SQL injection vulnerability in AES Multimedia's Gestnet v1.07. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘fk_remoto_central’ parameter on the ‘/webservices/articles.php’ endpoint. | |||||
| CVE-2017-14037 | 1 Crushftp | 1 Crushftp | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| CrushFTP before 7.8.0 and 8.x before 8.2.0 has an HTTP header vulnerability. | |||||
| CVE-2014-9564 | 1 Ibm | 4 En6131, En6131 Firmware, Ib6131 and 1 more | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF injection vulnerability in IBM Flex System EN6131 40Gb Ethernet and IB6131 40Gb Infiniband Switch firmware before 3.4.1110 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks and resulting web cache poisoning or cross-site scripting (XSS) attacks, or obtain sensitive information via multiple unspecified parameters. | |||||
| CVE-2017-6508 | 1 Gnu | 1 Wget | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. | |||||
| CVE-2017-8788 | 1 Accellion | 1 File Transfer Appliance | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a CRLF vulnerability in settings_global_text_edit.php allowing ?display=x%0Dnewline attacks. | |||||
| CVE-2017-2111 | 1 Iodata | 14 Ts-ptcam, Ts-ptcam\/poe, Ts-ptcam\/poe Firmware and 11 more | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| HTTP header injection vulnerability in TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier may allow a remote attackers to display false information. | |||||
| CVE-2017-5868 | 1 Openvpn | 1 Openvpn Access Server | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/. | |||||
| CVE-2015-9096 | 1 Ruby-lang | 1 Ruby | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. | |||||
| CVE-2015-9097 | 1 Mail Project | 1 Mail | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. | |||||
| CVE-2016-6484 | 1 Infoblox | 1 Netmri | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF injection vulnerability in Infoblox Network Automation NetMRI before 7.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the contentType parameter in a login action to config/userAdmin/login.tdf. | |||||
| CVE-2017-8791 | 1 Accellion | 1 File Transfer Appliance | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a home/seos/courier/login.html auth_params CRLF attack vector. | |||||
| CVE-2015-0770 | 1 Cisco | 1 Telepresence Tc Software | 2025-04-12 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in Cisco TelePresence TC 6.x before 6.3.4 and 7.x before 7.3.3 on Integrator C SX20 devices allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL, aka Bug ID CSCut79341. | |||||
| CVE-2016-5331 | 1 Vmware | 2 Esxi, Vcenter Server | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | |||||
| CVE-2016-4993 | 1 Redhat | 3 Enterprise Linux, Jboss Enterprise Application Platform, Jboss Wildfly Application Server | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | |||||
| CVE-2016-9964 | 2 Bottlepy, Debian | 2 Bottle, Debian Linux | 2025-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call. | |||||
| CVE-2007-0892 | 1 Matthieu Aubry | 1 Phpmyvisites | 2025-04-09 | 7.5 HIGH | N/A |
| CRLF injection vulnerability in phpMyVisites before 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the url parameter, when the pagename parameter begins with "FILE:". | |||||
| CVE-2023-0040 | 1 Asynchttpclient Project | 1 Async-http-client | 2025-04-03 | N/A | 7.5 HIGH |
| Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted data into HTTP header field values without prior sanitisation. Common use-cases here might be to place usernames from a database into HTTP header fields. This vulnerability allows attackers to inject new HTTP header fields, or entirely new requests, into the data stream. This can cause requests to be understood very differently by the remote server than was intended. In general, this is unlikely to result in data disclosure, but it can result in a number of logical errors and other misbehaviours. | |||||