216.73.217.80

CVE-2026-9658

· Published 28/05/2026 13:16 · Modified 29/05/2026 15:29

Labels: CVE-2026-9658 2026-05-289b29abf9-4ab0-4765-b253-1875cd9b441eCVE-2026-9658CWE-113

Essential information

Published
28/05/2026 13:16
Modified
29/05/2026 15:29
Author
Creator
CISA KEV
No
CWE

Description

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
9b29abf9-4ab0-4765-b253-1875cd9b441e
NVD
View on NVD

Affected products (CPE)

ProductCPE
plack / middleware security common cpe:2.3:a:plack:middleware_security_common:<0.13.1:*:*:*:*:*:*:*

References