CVE-2026-48598— CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| elixir-tesla | tesla | 0.8.0< 1.18.3 | affected |
6ebfdb9abe9c6f119408045b933d82462decd351< bb1a2c3da2775924d96e3db8e315dcc4d5d2246e | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48598
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue. This issue affects tesla: from 0.8.0 before 1.18.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对输出编码和转义不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| elixir-tesla | tesla | 0.8.0 ~ 1.18.3 | cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* | |
| elixir-tesla | tesla | 6ebfdb9abe9c6f119408045b933d82462decd351 ~ bb1a2c3da2775924d96e3db8e315dcc4d5d2246e | cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-48598
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48598
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-48598 (1)
Vendor Advisories for CVE-2026-48598 (3)
- 🔗 EEF-CVE-2026-48598 - OSVrelated
Same Patch Batch · elixir-tesla · 2026-06-02 · 5 CVEs total
| CVE-2026-48594 | Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression | |
| CVE-2026-48596 | CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection | |
| CVE-2026-48595 | Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middlew | |
| CVE-2026-48597 | Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint |
IV. Related Vulnerabilities
Same product: tesla
Same vendor: elixir-tesla
Same weakness: CWE-116
- CVE-2026-45570
go-git: Improper single-quote escaping in go-git SSH transpo - CVE-2026-44972
GuardDog: Unsanitized human-readable scan output allows term - CVE-2026-9354
NousResearch hermes-agent Slack Agent/Mattermost Agent escap - CVE-2026-26028
CryptPad: Sanitizer Bypass in Diffmarked.js Allows Arbitrary - CVE-2026-42810
Apache Polaris: could broaden vended S3 credentials through
V. Comments for CVE-2026-48598
No comments yet