CWE-93
AllowedImproper Neutralization of CRLF Sequences ('CRLF Injection')
Abstraction: Base · Status: Draft
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
323 vulnerabilities reference this CWE, most recent first.
GHSA-JX6G-363C-PPRR
Vulnerability from github – Published: 2026-03-17 12:30 – Updated: 2026-03-17 12:30A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the soup_message_headers_set_content_type() function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.
{
"affected": [],
"aliases": [
"CVE-2026-3634"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-17T10:16:00Z",
"severity": "LOW"
},
"details": "A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.",
"id": "GHSA-jx6g-363c-pprr",
"modified": "2026-03-17T12:30:19Z",
"published": "2026-03-17T12:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3634"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-3634"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445129"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/485"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-M4J5-5X4R-2XP9
Vulnerability from github – Published: 2025-09-17 20:24 – Updated: 2025-09-17 20:24Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "26.3.0"
},
{
"fixed": "26.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-8419"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-17T20:24:07Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw\u0027s only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.",
"id": "GHSA-m4j5-5x4r-2xp9",
"modified": "2025-09-17T20:24:07Z",
"published": "2025-09-17T20:24:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4j5-5x4r-2xp9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8419"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15336"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15337"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15338"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15339"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-8419"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385776"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak SMTP Inject Vulnerability"
}
GHSA-M6QW-4CW2-HM4M
Vulnerability from github – Published: 2026-06-15 20:07 – Updated: 2026-06-15 20:07Summary
Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar.
Impact
In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request.
Workaround
Sanitise such user input.
Patch: https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13.5"
},
"package": {
"ecosystem": "PyPI",
"name": "aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50269"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T20:07:26Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\nAttacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar.\n\n### Impact\n\nIn the unlikely situation that an application is passing user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, then an attacker may be able to modify the request to inject headers or change the contents of the request.\n\n### Workaround\n\nSanitise such user input.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8",
"id": "GHSA-m6qw-4cw2-hm4m",
"modified": "2026-06-15T20:07:26Z",
"published": "2026-06-15T20:07:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8"
},
{
"type": "PACKAGE",
"url": "https://github.com/aio-libs/aiohttp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "aiohttp: CRLF injection in multipart headers"
}
GHSA-M7VJ-MCJG-2MX3
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk.
{
"affected": [],
"aliases": [
"CVE-2025-0293"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T16:15:51Z",
"severity": "MODERATE"
},
"details": "CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk.",
"id": "GHSA-m7vj-mcjg-2mx3",
"modified": "2025-07-08T18:31:43Z",
"published": "2025-07-08T18:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0293"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/July-Security-Advisory-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Multiple-CVEs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-M93C-CH8C-Q8CJ
Vulnerability from github – Published: 2026-06-10 21:31 – Updated: 2026-06-19 18:32Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.
Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.
In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
{
"affected": [],
"aliases": [
"CVE-2026-50638"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T19:16:37Z",
"severity": "CRITICAL"
},
"details": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.\n\nMetrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.\n\nIn addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.",
"id": "GHSA-m93c-ch8c-q8cj",
"modified": "2026-06-19T18:32:31Z",
"published": "2026-06-10T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50638"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50637"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50639"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M9G3-3G99-MHPX
Vulnerability from github – Published: 2026-05-08 20:49 – Updated: 2026-06-08 23:29Summary
eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This is similar in spirit to GHSA-4hxc-9384-m385 (h3), but the vulnerable fields are event/id rather than data/comment. These are less likely to be user-controllable, but should still be sanitized.
Details
In src/encode.ts, encodeMessage interpolates event and id into the output without inspecting them for line terminators:
if (message.event) {
output += `event: ${message.event}\n`
}
// ...
if (typeof message.id === 'string' || typeof message.id === 'number') {
output += `id: ${message.id}\n`
}
The SSE specification treats \r, \n, and \r\n as line terminators. A \n (or \r) embedded in either field is rendered as the end of that field, allowing the rest of the input to be interpreted by the client as new SSE fields.
By contrast, data and comment already normalize all three line-terminator forms via NEWLINES_RE = /(\r\n|\r|\n)/g, so they are not affected.
Proof of concept
import {encode} from 'eventsource-encoder'
// Attacker-controlled value flows into `event`
const userSuppliedTopic = 'message\nevent: admin\ndata: {"role":"admin"}'
console.log(encode({event: userSuppliedTopic, data: 'hello'}))
Output:
event: message
event: admin
data: {"role":"admin"}
data: hello
The browser sees two events: a forged admin event with attacker-chosen payload, followed by the legitimate message event. The same primitive works through id for any string id value.
Impact
If untrusted input is passed into the event or id field of a message, an attacker can:
- Spoof events of arbitrary type (rerouting payloads to handlers the attacker chooses)
- Inject additional SSE fields (
data:,id:,retry:) into the stream - Split a single
encode()call into multiple distinct browser events - Override the client's
Last-Event-IDvia injectedid:lines
The vulnerability requires that an application places attacker-controlled data into event or id. Applications that only put trusted, statically-defined values into these fields are not affected.
Patches
Fixed in eventsource-encoder@1.0.2. The event and string id fields are now validated; any value containing \r or \n causes the encoder to throw a TypeError rather than emit a malformed stream.
Workarounds
If users cannot upgrade, validate or strip line terminators from any untrusted value before passing it to encode / encodeMessage:
function safeSingleLine(value) {
if (/[\r\n]/.test(value)) throw new Error('SSE field must be single-line')
return value
}
encode({event: safeSingleLine(topic), id: safeSingleLine(id), data})
Resources
- Related advisory (different package, same class): https://github.com/advisories/GHSA-4hxc-9384-m385
- SSE spec, line terminators: https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream
Credit
Discovered while reviewing in light of GHSA-4hxc-9384-m385.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.1"
},
"package": {
"ecosystem": "npm",
"name": "eventsource-encoder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44214"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T20:49:40Z",
"nvd_published_at": "2026-05-26T20:16:19Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`eventsource-encoder` does not sanitize the `event` or `id` fields of an `EventSourceMessage` before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (`\\n`, `\\r`, or `\\r\\n`) and thereby forge additional SSE fields or entire messages on the stream. This is similar in spirit to [GHSA-4hxc-9384-m385](https://github.com/advisories/GHSA-4hxc-9384-m385) (h3), but the vulnerable fields are `event`/`id` rather than `data`/`comment`. These are less likely to be user-controllable, but should still be sanitized.\n\n### Details\n\nIn `src/encode.ts`, `encodeMessage` interpolates `event` and `id` into the output without inspecting them for line terminators:\n\n```ts\nif (message.event) {\n output += `event: ${message.event}\\n`\n}\n// ...\nif (typeof message.id === \u0027string\u0027 || typeof message.id === \u0027number\u0027) {\n output += `id: ${message.id}\\n`\n}\n```\n\nThe SSE specification treats `\\r`, `\\n`, and `\\r\\n` as line terminators. A `\\n` (or `\\r`) embedded in either field is rendered as the end of that field, allowing the rest of the input to be interpreted by the client as new SSE fields.\n\nBy contrast, `data` and `comment` already normalize all three line-terminator forms via `NEWLINES_RE = /(\\r\\n|\\r|\\n)/g`, so they are not affected.\n\n### Proof of concept\n\n```js\nimport {encode} from \u0027eventsource-encoder\u0027\n\n// Attacker-controlled value flows into `event`\nconst userSuppliedTopic = \u0027message\\nevent: admin\\ndata: {\"role\":\"admin\"}\u0027\n\nconsole.log(encode({event: userSuppliedTopic, data: \u0027hello\u0027}))\n```\n\nOutput:\n\n```\nevent: message\nevent: admin\ndata: {\"role\":\"admin\"}\ndata: hello\n\n```\n\nThe browser sees two events: a forged `admin` event with attacker-chosen payload, followed by the legitimate `message` event. The same primitive works through `id` for any string id value.\n\n### Impact\n\nIf untrusted input is passed into the `event` or `id` field of a message, an attacker can:\n\n- Spoof events of arbitrary type (rerouting payloads to handlers the attacker chooses)\n- Inject additional SSE fields (`data:`, `id:`, `retry:`) into the stream\n- Split a single `encode()` call into multiple distinct browser events\n- Override the client\u0027s `Last-Event-ID` via injected `id:` lines\n\nThe vulnerability requires that an application places attacker-controlled data into `event` or `id`. Applications that only put trusted, statically-defined values into these fields are not affected.\n\n### Patches\n\nFixed in `eventsource-encoder@1.0.2`. The `event` and string `id` fields are now validated; any value containing `\\r` or `\\n` causes the encoder to throw a `TypeError` rather than emit a malformed stream.\n\n### Workarounds\n\nIf users cannot upgrade, validate or strip line terminators from any untrusted value before passing it to `encode` / `encodeMessage`:\n\n```js\nfunction safeSingleLine(value) {\n if (/[\\r\\n]/.test(value)) throw new Error(\u0027SSE field must be single-line\u0027)\n return value\n}\n\nencode({event: safeSingleLine(topic), id: safeSingleLine(id), data})\n```\n\n### Resources\n\n- Related advisory (different package, same class): https://github.com/advisories/GHSA-4hxc-9384-m385\n- SSE spec, line terminators: https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream\n\n### Credit\n\nDiscovered while reviewing in light of GHSA-4hxc-9384-m385.",
"id": "GHSA-m9g3-3g99-mhpx",
"modified": "2026-06-08T23:29:22Z",
"published": "2026-05-08T20:49:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44214"
},
{
"type": "PACKAGE",
"url": "https://github.com/rexxars/eventsource-encoder"
},
{
"type": "WEB",
"url": "https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields"
}
GHSA-MCVM-9XXC-24JX
Vulnerability from github – Published: 2026-06-04 18:30 – Updated: 2026-06-04 21:31Etsy::StatsD versions through 1.002002 for Perl allow metric injections.
The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.
{
"affected": [],
"aliases": [
"CVE-2026-46741"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T17:16:32Z",
"severity": "HIGH"
},
"details": "Etsy::StatsD versions through 1.002002 for Perl allow metric injections.\n\nThe metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\n\nNote that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.",
"id": "GHSA-mcvm-9xxc-24jx",
"modified": "2026-06-04T21:31:21Z",
"published": "2026-06-04T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46741"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MGR7-5782-6JH9
Vulnerability from github – Published: 2025-01-13 16:18 – Updated: 2025-01-13 16:18Impact
The Heartcore headless client library depends on Refit to assist in making HTTP requests to Heartcore public APIs. Refit recently published an advisory regarding a CRLF injection vulnerability whereby it is possible for a malicious user to smuggle additional headers or potentially body content into a request.
This shouldn't affect Heartcore client library usage as the vulnerable method - HttpHeaders.TryAddWithoutValidation - is not used. However, since Refit is a transient dependency for applications using this library, then any users making direct use of Refit could be vulnerable.
Patches
The vulnerable version of Refit has been upgraded to a secure version, as of Umbraco.Headless.Client.Net version 1.5.0, available on Nuget.
Workarounds
If calling Refit from your own code, set any necessary HTTP headers without use of HttpHeaders.TryAddWithoutValidation.
References
See the original Refit advisory for further info.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.1"
},
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Headless.Client.Net"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-13T16:18:39Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nThe Heartcore headless client library depends on [Refit ](https://github.com/reactiveui/refit) to assist in making HTTP requests to Heartcore public APIs. Refit recently published an advisory regarding a CRLF injection vulnerability whereby it is possible for a malicious user to smuggle additional headers or potentially body content into a request.\n\nThis shouldn\u0027t affect Heartcore client library usage as the vulnerable method - `HttpHeaders.TryAddWithoutValidation` - is not used. However, since Refit is a transient dependency for applications using this library, then any users making direct use of Refit could be vulnerable.\n\n### Patches\nThe vulnerable version of Refit has been upgraded to a secure version, as of Umbraco.Headless.Client.Net version 1.5.0, available on [Nuget](https://www.nuget.org/packages/Umbraco.Headless.Client.Net/1.5.0).\n\n### Workarounds\nIf calling Refit from your own code, set any necessary HTTP headers without use of `HttpHeaders.TryAddWithoutValidation`.\n\n### References\nSee the [original Refit advisory](https://github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7) for further info.\n",
"id": "GHSA-mgr7-5782-6jh9",
"modified": "2025-01-13T16:18:39Z",
"published": "2025-01-13T16:18:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco.Headless.Client.Net/security/advisories/GHSA-mgr7-5782-6jh9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51501"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco.Headless.Client.Net"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "The Umbraco Heartcore headless client library uses a vulnerable Refit dependency package"
}
GHSA-MGWX-W2XC-PJQ7
Vulnerability from github – Published: 2026-04-16 03:31 – Updated: 2026-04-16 03:31MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.
{
"affected": [],
"aliases": [
"CVE-2026-6351"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T03:16:31Z",
"severity": "HIGH"
},
"details": "MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.",
"id": "GHSA-mgwx-w2xc-pjq7",
"modified": "2026-04-16T03:31:06Z",
"published": "2026-04-16T03:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6351"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10843-9ff91-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10844-1405d-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MH6W-VXFF-9WQP
Vulnerability from github – Published: 2026-04-22 14:56 – Updated: 2026-04-22 14:56Impact
PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives.
An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process.
Sources of INI values that participate in the attack:
<ini name="…" value="…"/>entries inphpunit.xml/phpunit.xml.dist- INI settings inherited from the host PHP runtime via
ini_get_all()
Threat Model
Exploitation requires the attacker to control the content of an INI value read by PHPUnit. In practice this means write access to the project's phpunit.xml, the host php.ini, or the PHP binary's environment. The most realistic exposure is Poisoned Pipeline Execution (PPE): a pull request from an untrusted contributor that modifies phpunit.xml to include a newline-containing INI value, executed by a CI system that runs PHPUnit against the PR without isolation. A malicious newline is not visibly distinguishable from a legitimate value in a typical diff review.
Affected Component
PHPUnit\Util\PHP\JobRunner::settingsToParameters()
Patches
The fix has two parts:
1. Reject line-break characters
Because a newline or carriage return in an INI value has no legitimate use and is the primitive that enables directive injection, any PHP setting value containing \n or \r is now rejected with an explicit PhpProcessException. This follows the same "visibility over silence" principle applied in CVE-2026-24765: the anomalous state fails loudly in CI output rather than being silently sanitized, giving operators an opportunity to investigate whether it reflects tampering, environment contamination, or an unexpected upstream change.
2. Quote remaining metacharacters
Values containing " or ;, both of which have legitimate uses (e.g., regex-valued INI settings such as ddtrace's datadog.appsec.obfuscation_parameter_value_regexp), are wrapped in double quotes with inner " escaped as \", so PHP's INI parser reads them as literal string contents rather than comment/delimiter tokens. Plain values are forwarded unchanged so that boolean keywords (On/Off) and bitwise expressions (E_ALL & ~E_NOTICE) retain their INI semantics.
Workarounds
If upgrading is not immediately possible:
- Audit INI values: Ensure no
<ini value="…">entry inphpunit.xml/phpunit.xml.distcontains newline,", or;characters, and that nothing writes such values into configuration at build time. - Isolate CI execution of untrusted code: Run PHPUnit against pull requests only in ephemeral, containerized runners that discard filesystem state between jobs; require human review before executing PRs from forks; enforce branch protection on workflows that handle secrets (
pull_request_targetand similar). These mitigations apply to the broader PPE risk class and are effective against this vulnerability as well. - Restrict who can modify
phpunit.xml: Treatphpunit.xmlas security-sensitive in code review, particularly<ini>entries. - Sanitize host INI: Ensure the host PHP's
php.inidoes not contain values with embedded newlines or unescaped metacharacters.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpunit/phpunit"
},
"ranges": [
{
"events": [
{
"introduced": "12.5.21"
},
{
"fixed": "12.5.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpunit/phpunit"
},
"ranges": [
{
"events": [
{
"introduced": "13.1.5"
},
{
"fixed": "13.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-88",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T14:56:07Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# Impact\n\nPHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as `-d name=value` command-line arguments without neutralizing INI metacharacters. Because PHP\u0027s INI parser interprets `\"` as a string delimiter, `;` as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as **multiple INI directives**.\n\nAn attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child\u0027s configuration, including `auto_prepend_file`, `extension`, `disable_functions`, `open_basedir`, and others. Setting `auto_prepend_file` to an attacker-controlled path yields **remote code execution** in the child process.\n\n**Sources of INI values that participate in the attack:**\n\n- `\u003cini name=\"\u2026\" value=\"\u2026\"/\u003e` entries in `phpunit.xml` / `phpunit.xml.dist`\n- INI settings inherited from the host PHP runtime via `ini_get_all()`\n\n## Threat Model\n\nExploitation requires the attacker to control the content of an INI value read by PHPUnit. In practice this means write access to the project\u0027s `phpunit.xml`, the host `php.ini`, or the PHP binary\u0027s environment. The most realistic exposure is **Poisoned Pipeline Execution (PPE)**: a pull request from an untrusted contributor that modifies `phpunit.xml` to include a newline-containing INI value, executed by a CI system that runs PHPUnit against the PR without isolation. A malicious newline is not visibly distinguishable from a legitimate value in a typical diff review.\n\n## Affected Component\n\n`PHPUnit\\Util\\PHP\\JobRunner::settingsToParameters()`\n\n## Patches\n\nThe fix has two parts:\n\n### 1. Reject line-break characters\n\nBecause a newline or carriage return in an INI value has no legitimate use and is the primitive that enables directive injection, any PHP setting value containing `\\n` or `\\r` is now rejected with an explicit `PhpProcessException`. This follows the same \"visibility over silence\" principle applied in **CVE-2026-24765**: the anomalous state fails loudly in CI output rather than being silently sanitized, giving operators an opportunity to investigate whether it reflects tampering, environment contamination, or an unexpected upstream change.\n\n### 2. Quote remaining metacharacters\n\nValues containing `\"` or `;`, both of which have legitimate uses (e.g., regex-valued INI settings such as ddtrace\u0027s `datadog.appsec.obfuscation_parameter_value_regexp`), are wrapped in double quotes with inner `\"` escaped as `\\\"`, so PHP\u0027s INI parser reads them as literal string contents rather than comment/delimiter tokens. Plain values are forwarded unchanged so that boolean keywords (`On`/`Off`) and bitwise expressions (`E_ALL \u0026 ~E_NOTICE`) retain their INI semantics.\n\n## Workarounds\n\nIf upgrading is not immediately possible:\n\n1. **Audit INI values:** Ensure no `\u003cini value=\"\u2026\"\u003e` entry in `phpunit.xml` / `phpunit.xml.dist` contains newline, `\"`, or `;` characters, and that nothing writes such values into configuration at build time.\n2. **Isolate CI execution of untrusted code:** Run PHPUnit against pull requests only in ephemeral, containerized runners that discard filesystem state between jobs; require human review before executing PRs from forks; enforce branch protection on workflows that handle secrets (`pull_request_target` and similar). These mitigations apply to the broader PPE risk class and are effective against this vulnerability as well.\n3. **Restrict who can modify `phpunit.xml`:** Treat `phpunit.xml` as security-sensitive in code review, particularly `\u003cini\u003e` entries.\n4. **Sanitize host INI:** Ensure the host PHP\u0027s `php.ini` does not contain values with embedded newlines or unescaped metacharacters.",
"id": "GHSA-mh6w-vxff-9wqp",
"modified": "2026-04-22T14:56:07Z",
"published": "2026-04-22T14:56:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243"
},
{
"type": "WEB",
"url": "https://github.com/sebastianbergmann/phpunit/pull/6592"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpunit/phpunit/GHSA-qrr6-mg7r-m243.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sebastianbergmann/phpunit"
},
{
"type": "WEB",
"url": "https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes"
}
Mitigation
Avoid using CRLF as a special sequence.
Mitigation
Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.