Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)) — Vulnerability Class 89

89 vulnerabilities classified as CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)). AI Chinese analysis included.

CWE-93 represents a critical input validation weakness where applications fail to properly sanitize Carriage Return and Line Feed characters within user-supplied data. This vulnerability typically enables attackers to inject malicious HTTP headers or split response lines, facilitating attacks such as HTTP response splitting, session fixation, or cross-site scripting. By manipulating these control characters, adversaries can alter the structure of web responses, potentially redirecting users to phishing sites or injecting malicious scripts into the browser context. To mitigate this risk, developers must rigorously validate and sanitize all input fields, specifically filtering out or encoding CRLF sequences before processing. Implementing strict allow-lists for acceptable characters and utilizing framework-provided encoding functions ensures that these control characters are neutralized, thereby preserving the integrity of HTTP headers and preventing unauthorized manipulation of application logic.

MITRE CWE Description
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Common Consequences (1)
IntegrityModify Application Data
Mitigations (2)
ImplementationAvoid using CRLF as a special sequence.
ImplementationAppropriately filter or quote CRLF sequences in user-controlled input.
Examples (2)
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment …
name: Deploy Preview jobs: deploy: runs-on: ubuntu-latest steps: - name: 'Download artifact' uses: actions/github-script with: script: | var artifacts = await github.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{ github.event.workflow_run.id }}, }); var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "pr" })[0]; var downloadPr = await github.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchPrArtifact.id, archive_format: 'zip', }); var fs = require('fs');
Bad · Other
\nNODE_OPTIONS="--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//"
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2026-42257 net-imap: Command Injection via "raw" arguments to multiple commands — net-imap 6.5AIMediumAI2026-05-09
CVE-2026-41570 PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes — phpunit 7.8 High2026-05-08
CVE-2026-41417 Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri() — netty 5.3 Medium2026-05-06
CVE-2026-39849 Pi-hole FTL remote code execution via newline injection in dns.interface configuration — FTL 8.8 -2026-05-05
CVE-2026-34458 Sandboxie-Plus privilege escalation via INI CRLF injection bypassing EditAdminOnly — Sandboxie 7.8 -2026-05-05
CVE-2026-5140 Authorization Bypass in TUBITAK BILGEM's Pardus Update — Pardus Update 8.8 High2026-04-29
CVE-2026-42037 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream — axios 5.3 Medium2026-04-24
CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() — froxlor 8.5 High2026-04-23
CVE-2026-2717 HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values — HTTP Headers 5.5 Medium2026-04-22
CVE-2026-32964 Silex SD-330AC和Silex AMC Manager 安全漏洞 — SD-330AC 6.5 Medium2026-04-20
CVE-2026-6351 Openfind|MailGates/MailAudit - CRLF Injection — MailGates 7.5 High2026-04-16
CVE-2026-2400 Schneider Electric PowerChute Serial Shutdown 注入漏洞 — PowerChute™ Serial Shutdown 4.5 -2026-04-14
CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output — vikunja 4.1 Medium2026-04-10
CVE-2026-39983 FTP Command Injection via CRLF in basic-ftp — basic-ftp 8.6 High2026-04-09
CVE-2026-39958 oma-topic: name Field in Topic Manifests (topic.json) May Allow CRLF Injection — oma 5.3AIMediumAI2026-04-09
CVE-2026-39394 CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller — ci4ms 8.1 High2026-04-08
CVE-2026-34975 Plunk has a CRLF Email Header Injection in raw MIME message construction allows authenticated API user to inject arbitrary email headers — plunk 8.5 High2026-04-06
CVE-2026-26962 Rack: Header injection in multipart requests — rack 4.8 Medium2026-04-02
CVE-2026-2442 Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email' — Page Builder: Pagelayer – Drag and Drop website builder 5.3 Medium2026-03-28
CVE-2026-33635 iCalendar has ICS injection via unsanitized URI property values — icalendar 4.3 Medium2026-03-26
CVE-2026-20113 Cisco IOS XE Software 注入漏洞 — Cisco IOS XE Software 5.3 Medium2026-03-25
CVE-2026-28753 NGINX ngx_mail_proxy_module vulnerability — NGINX Open Source 3.7 Low2026-03-24
CVE-2026-33128 h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields — h3 7.5 High2026-03-20
CVE-2026-3633 Libsoup: libsoup: header and http request injection via crlf injection — Red Hat Enterprise Linux 10 3.9 Low2026-03-17
CVE-2026-3634 Libsoup: libsoup: http header injection and response splitting via crlf injection in content-type header — Red Hat Enterprise Linux 10 3.9 Low2026-03-17
CVE-2026-1527 undici is vulnerable to CRLF Injection via upgrade option — undici 4.6 Medium2026-03-12
CVE-2026-3234 Mod_proxy_cluster: mod_proxy_cluster: response body corruption via crlf injection — Red Hat Enterprise Linux 10 4.3 Medium2026-03-12
CVE-2026-3848 Improper Neutralization of CRLF Sequences ('CRLF Injection') in GitLab — GitLab 5.0 Medium2026-03-11
CVE-2026-30227 MimeKit: CRLF Injection in Quoted Local-Part Enables SMTP Command Injection and Email Forgery — MimeKit 8.2 -2026-03-06
CVE-2026-28296 Gvfs: ftp gvfs backend: arbitrary ftp command injection via crlf sequences in file paths — Red Hat Enterprise Linux 10 4.3 Medium2026-02-26

Vulnerabilities classified as CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)) represent 89 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.