CVE-2026-48596— CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection
Possible ATT&CK Techniques 1AI
T1105 · Ingress Tool TransferAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| elixir-tesla | tesla | 0.8.0< 1.18.3 | affected |
6ebfdb9abe9c6f119408045b933d82462decd351< 23601edac5d22ba9407b427967b5bdbda201aec2 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48596
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2. Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\r) or LF (\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing \r\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected. This issue affects tesla: from 0.8.0 before 1.18.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| elixir-tesla | tesla | 0.8.0 ~ 1.18.3 | cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* | |
| elixir-tesla | tesla | 6ebfdb9abe9c6f119408045b933d82462decd351 ~ 23601edac5d22ba9407b427967b5bdbda201aec2 | cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-48596
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48596
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-48596 (1)
Vendor Advisories for CVE-2026-48596 (3)
- 🔗 EEF-CVE-2026-48596 - OSVrelated
Same Patch Batch · elixir-tesla · 2026-06-02 · 5 CVEs total
| CVE-2026-48598 | CRLF injection in Tesla.Multipart disposition parameters allows multipart part header inje | |
| CVE-2026-48594 | Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression | |
| CVE-2026-48595 | Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middlew | |
| CVE-2026-48597 | Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint |
IV. Related Vulnerabilities
Same product: tesla
Same vendor: elixir-tesla
Same weakness: CWE-113
- CVE-2026-47675
Hono: Cookie helper does not sanitize sameSite and priority, - CVE-2026-42578
Netty: HTTP Header Injection via HttpProxyHandler Disabled V - CVE-2026-7010
HTTP::Tiny versions before 0.093 for Perl do not validate CR - CVE-2026-42874
Microdot: HTTP response splitting in Response.set_cookie() - CVE-2026-42035
Axios: Header Injection via Prototype Pollution
V. Comments for CVE-2026-48596
No comments yet