Vulnerability-Lookup

CVE-2026-43968 (GCVE-0-2026-43968)

Vulnerability from cvelistv5 – Published: 2026-05-11 18:06 – Updated: 2026-05-12 12:11

Title

CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1

Summary

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM. This issue affects cowlib from 2.6.0 before 2.16.1.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

CWE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Assigner

EEF

References

3 references

URL	Tags
https://cna.erlef.org/cves/CVE-2026-43968.html	relatedthird-party-advisory
https://osv.dev/vulnerability/EEF-CVE-2026-43968	related
https://github.com/ninenines/cowlib/commit/6165fc…	patch

Impacted products

2 products

Vendor	Product	Version
ninenines	cowlib	Affected: 2.6.0 , < 2.16.1 (semver) cpe:2.3:a:ninenines:cowlib::::::::
ninenines	cowlib	Affected: 93b2b897cde238506c803faad4d1602d79dba7c9 , < 6165fc40efa159ba1cceee7e7981e790acba5d9c (git) cpe:2.3:a:ninenines:cowlib::::::::

Credits

Peter Ullrich Loïc Hoguin

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43968",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T18:57:13.541982Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T18:57:38.074Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "cow_sse"
          ],
          "packageName": "cowlib",
          "packageURL": "pkg:hex/cowlib",
          "product": "cowlib",
          "programFiles": [
            "src/cow_sse.erl"
          ],
          "programRoutines": [
            {
              "name": "cow_sse:event/1"
            },
            {
              "name": "cow_sse:event_id/1"
            },
            {
              "name": "cow_sse:event_name/1"
            },
            {
              "name": "cow_sse:event_data/1"
            },
            {
              "name": "cow_sse:event_comment/1"
            },
            {
              "name": "cow_sse:prefix_lines/2"
            }
          ],
          "repo": "https://github.com/ninenines/cowlib",
          "vendor": "ninenines",
          "versions": [
            {
              "lessThan": "2.16.1",
              "status": "affected",
              "version": "2.6.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "cow_sse"
          ],
          "packageName": "ninenines/cowlib",
          "packageURL": "pkg:github/ninenines/cowlib",
          "product": "cowlib",
          "programFiles": [
            "src/cow_sse.erl"
          ],
          "programRoutines": [
            {
              "name": "cow_sse:event/1"
            },
            {
              "name": "cow_sse:event_id/1"
            },
            {
              "name": "cow_sse:event_name/1"
            },
            {
              "name": "cow_sse:event_data/1"
            },
            {
              "name": "cow_sse:event_comment/1"
            },
            {
              "name": "cow_sse:prefix_lines/2"
            }
          ],
          "repo": "https://github.com/ninenines/cowlib",
          "vendor": "ninenines",
          "versions": [
            {
              "lessThan": "6165fc40efa159ba1cceee7e7981e790acba5d9c",
              "status": "affected",
              "version": "93b2b897cde238506c803faad4d1602d79dba7c9",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe application must pass user-controlled data as the \u003ctt\u003eid\u003c/tt\u003e, \u003ctt\u003eevent\u003c/tt\u003e, \u003ctt\u003edata\u003c/tt\u003e, or \u003ctt\u003ecomment\u003c/tt\u003e field to \u003ctt\u003ecow_sse:event/1\u003c/tt\u003e (or a higher-level wrapper such as \u003ctt\u003ecowboy_req:stream_events/3\u003c/tt\u003e). Applications that construct SSE events exclusively from trusted, application-controlled values are not affected.\u003c/p\u003e"
            }
          ],
          "value": "The application must pass user-controlled data as the id, event, data, or comment field to cow_sse:event/1 (or a higher-level wrapper such as cowboy_req:stream_events/3). Applications that construct SSE events exclusively from trusted, application-controlled values are not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.16.1",
                  "versionStartIncluding": "2.6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Lo\u00efc Hoguin"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_sse:event/1\u003c/tt\u003e in cowlib guards the \u003ctt\u003eid\u003c/tt\u003e and \u003ctt\u003eevent\u003c/tt\u003e fields against \u003ctt\u003e\\n\u003c/tt\u003e but not against bare \u003ctt\u003e\\r\u003c/tt\u003e, and the internal \u003ctt\u003eprefix_lines/2\u003c/tt\u003e function used for \u003ctt\u003edata\u003c/tt\u003e and \u003ctt\u003ecomment\u003c/tt\u003e fields splits only on \u003ctt\u003e\\n\u003c/tt\u003e. Because the SSE specification requires decoders to treat \u003ctt\u003e\\r\\n\u003c/tt\u003e, \u003ctt\u003e\\r\u003c/tt\u003e, and \u003ctt\u003e\\n\u003c/tt\u003e as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser \u003ctt\u003eEventSource\u003c/tt\u003e clients or other SSE consumers dispatch on \u003ctt\u003eevent.type\u003c/tt\u003e and render \u003ctt\u003eevent.data\u003c/tt\u003e, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 2.6.0 before 2.16.1.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\n\ncow_sse:event/1 in cowlib guards the id and event fields against \\n but not against bare \\r, and the internal prefix_lines/2 function used for data and comment fields splits only on \\n. Because the SSE specification requires decoders to treat \\r\\n, \\r, and \\n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\n\nThis issue affects cowlib from 2.6.0 before 2.16.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-34",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-34 HTTP Response Splitting"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T12:11:43.388Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "related",
            "third-party-advisory"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-43968.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-43968"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSanitize user-controlled values before passing them to \u003ctt\u003ecow_sse:event/1\u003c/tt\u003e: reject or strip any value containing \u003ctt\u003e\\r\u003c/tt\u003e or \u003ctt\u003e\\n\u003c/tt\u003e characters in the \u003ctt\u003eid\u003c/tt\u003e, \u003ctt\u003eevent\u003c/tt\u003e, \u003ctt\u003edata\u003c/tt\u003e, and \u003ctt\u003ecomment\u003c/tt\u003e fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.\u003c/p\u003e"
            }
          ],
          "value": "Sanitize user-controlled values before passing them to cow_sse:event/1: reject or strip any value containing \\r or \\n characters in the id, event, data, and comment fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-43968",
    "datePublished": "2026-05-11T18:06:42.881Z",
    "dateReserved": "2026-05-04T18:23:25.573Z",
    "dateUpdated": "2026-05-12T12:11:43.388Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43968",
      "date": "2026-05-26",
      "epss": "0.00039",
      "percentile": "0.11676"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43968\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-05-11T19:16:25.100\",\"lastModified\":\"2026-05-21T13:59:07.077\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\\n\\ncow_sse:event/1 in cowlib guards the id and event fields against \\\\n but not against bare \\\\r, and the internal prefix_lines/2 function used for data and comment fields splits only on \\\\n. Because the SSE specification requires decoders to treat \\\\r\\\\n, \\\\r, and \\\\n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\\n\\nThis issue affects cowlib from 2.6.0 before 2.16.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N\",\"baseScore\":4.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-93\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.0\",\"versionEndExcluding\":\"2.16.1\",\"matchCriteriaId\":\"481B089B-8D5C-40D8-B1F0-4E543F63F602\"}]}]}],\"references\":[{\"url\":\"https://cna.erlef.org/cves/CVE-2026-43968.html\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"tags\":[\"Patch\"]},{\"url\":\"https://osv.dev/vulnerability/EEF-CVE-2026-43968\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-43968\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-11T18:57:13.541982Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-11T18:57:24.423Z\"}}], \"cna\": {\"title\": \"CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Peter Ullrich\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Lo\\u00efc Hoguin\"}], \"impacts\": [{\"capecId\": \"CAPEC-34\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-34 HTTP Response Splitting\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/ninenines/cowlib\", \"vendor\": \"ninenines\", \"modules\": [\"cow_sse\"], \"product\": \"cowlib\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.6.0\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:hex/cowlib\", \"packageName\": \"cowlib\", \"programFiles\": [\"src/cow_sse.erl\"], \"collectionURL\": \"https://repo.hex.pm\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"cow_sse:event/1\"}, {\"name\": \"cow_sse:event_id/1\"}, {\"name\": \"cow_sse:event_name/1\"}, {\"name\": \"cow_sse:event_data/1\"}, {\"name\": \"cow_sse:event_comment/1\"}, {\"name\": \"cow_sse:prefix_lines/2\"}]}, {\"cpes\": [\"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/ninenines/cowlib\", \"vendor\": \"ninenines\", \"modules\": [\"cow_sse\"], \"product\": \"cowlib\", \"versions\": [{\"status\": \"affected\", \"version\": \"93b2b897cde238506c803faad4d1602d79dba7c9\", \"versionType\": \"git\"}], \"packageURL\": \"pkg:github/ninenines/cowlib\", \"packageName\": \"ninenines/cowlib\", \"programFiles\": [\"src/cow_sse.erl\"], \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"cow_sse:event/1\"}, {\"name\": \"cow_sse:event_id/1\"}, {\"name\": \"cow_sse:event_name/1\"}, {\"name\": \"cow_sse:event_data/1\"}, {\"name\": \"cow_sse:event_comment/1\"}, {\"name\": \"cow_sse:prefix_lines/2\"}]}], \"references\": [{\"url\": \"https://cna.erlef.org/cves/CVE-2026-43968.html\", \"tags\": [\"related\", \"third-party-advisory\"]}, {\"url\": \"https://osv.dev/vulnerability/EEF-CVE-2026-43968\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c\", \"tags\": [\"patch\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Sanitize user-controlled values before passing them to cow_sse:event/1: reject or strip any value containing \\\\r or \\\\n characters in the id, event, data, and comment fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eSanitize user-controlled values before passing them to \u003ctt\u003ecow_sse:event/1\u003c/tt\u003e: reject or strip any value containing \u003ctt\u003e\\\\r\u003c/tt\u003e or \u003ctt\u003e\\\\n\u003c/tt\u003e characters in the \u003ctt\u003eid\u003c/tt\u003e, \u003ctt\u003eevent\u003c/tt\u003e, \u003ctt\u003edata\u003c/tt\u003e, and \u003ctt\u003ecomment\u003c/tt\u003e fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.\u003c/p\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\\n\\ncow_sse:event/1 in cowlib guards the id and event fields against \\\\n but not against bare \\\\r, and the internal prefix_lines/2 function used for data and comment fields splits only on \\\\n. Because the SSE specification requires decoders to treat \\\\r\\\\n, \\\\r, and \\\\n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\\n\\nThis issue affects cowlib from 2.6.0.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eImproper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_sse:event/1\u003c/tt\u003e in cowlib guards the \u003ctt\u003eid\u003c/tt\u003e and \u003ctt\u003eevent\u003c/tt\u003e fields against \u003ctt\u003e\\\\n\u003c/tt\u003e but not against bare \u003ctt\u003e\\\\r\u003c/tt\u003e, and the internal \u003ctt\u003eprefix_lines/2\u003c/tt\u003e function used for \u003ctt\u003edata\u003c/tt\u003e and \u003ctt\u003ecomment\u003c/tt\u003e fields splits only on \u003ctt\u003e\\\\n\u003c/tt\u003e. Because the SSE specification requires decoders to treat \u003ctt\u003e\\\\r\\\\n\u003c/tt\u003e, \u003ctt\u003e\\\\r\u003c/tt\u003e, and \u003ctt\u003e\\\\n\u003c/tt\u003e as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser \u003ctt\u003eEventSource\u003c/tt\u003e clients or other SSE consumers dispatch on \u003ctt\u003eevent.type\u003c/tt\u003e and render \u003ctt\u003eevent.data\u003c/tt\u003e, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 2.6.0.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-93\", \"description\": \"CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"The application must pass user-controlled data as the id, event, data, or comment field to cow_sse:event/1 (or a higher-level wrapper such as cowboy_req:stream_events/3). Applications that construct SSE events exclusively from trusted, application-controlled values are not affected.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe application must pass user-controlled data as the \u003ctt\u003eid\u003c/tt\u003e, \u003ctt\u003eevent\u003c/tt\u003e, \u003ctt\u003edata\u003c/tt\u003e, or \u003ctt\u003ecomment\u003c/tt\u003e field to \u003ctt\u003ecow_sse:event/1\u003c/tt\u003e (or a higher-level wrapper such as \u003ctt\u003ecowboy_req:stream_events/3\u003c/tt\u003e). Applications that construct SSE events exclusively from trusted, application-controlled values are not affected.\u003c/p\u003e\", \"base64\": false}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"2.6.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-05-12T04:26:41.082Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-43968\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-12T04:26:41.082Z\", \"dateReserved\": \"2026-05-04T18:23:25.573Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-05-11T18:06:42.881Z\", \"assignerShortName\": \"EEF\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-43968

Vulnerability from fkie_nvd - Published: 2026-05-11 19:16 - Updated: 2026-05-21 13:59

Severity

4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Summary

References

URL	Tags
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://cna.erlef.org/cves/CVE-2026-43968.html	Vendor Advisory
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c	Patch
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://osv.dev/vulnerability/EEF-CVE-2026-43968	Third Party Advisory

Impacted products

	Vendor	Product	Version
	ninenines	cowlib	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "481B089B-8D5C-40D8-B1F0-4E543F63F602",
              "versionEndExcluding": "2.16.1",
              "versionStartIncluding": "2.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\n\ncow_sse:event/1 in cowlib guards the id and event fields against \\n but not against bare \\r, and the internal prefix_lines/2 function used for data and comment fields splits only on \\n. Because the SSE specification requires decoders to treat \\r\\n, \\r, and \\n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\n\nThis issue affects cowlib from 2.6.0 before 2.16.1."
    }
  ],
  "id": "CVE-2026-43968",
  "lastModified": "2026-05-21T13:59:07.077",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-11T19:16:25.100",
  "references": [
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://cna.erlef.org/cves/CVE-2026-43968.html"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-43968"
    }
  ],
  "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-93"
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "type": "Secondary"
    }
  ]
}

GHSA-HV23-4QP7-8C8R

Vulnerability from github – Published: 2026-05-11 21:31 – Updated: 2026-05-18 16:47

Summary

ninenines cowlib: Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability allows SSE event splitting and injection via unvalidated field values

Details

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.

cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.

This issue affects cowlib from 2.6.0.

Severity

6.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "cowlib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.16.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43968"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T16:47:11Z",
    "nvd_published_at": "2026-05-11T19:16:25Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\n\ncow_sse:event/1 in cowlib guards the id and event fields against \\n but not against bare \\r, and the internal prefix_lines/2 function used for data and comment fields splits only on \\n. Because the SSE specification requires decoders to treat \\r\\n, \\r, and \\n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\n\nThis issue affects cowlib from 2.6.0.",
  "id": "GHSA-hv23-4qp7-8c8r",
  "modified": "2026-05-18T16:47:11Z",
  "published": "2026-05-11T21:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43968"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-43968.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ninenines/cowlib"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ninenines/cowlib/releases/tag/2.16.1"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-43968"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ninenines cowlib: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability allows SSE event splitting and injection via unvalidated field values"
}

MSRC_CVE-2026-43968

Vulnerability from csaf_microsoft - Published: 2026-05-02 00:00 - Updated: 2026-05-26 01:38

Summary

CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-43968

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Unresolved product id: 20623-17084		—

Known affected 1 product

Product	Identifier	Version	Remediation
Unresolved product id: 17084-1		—	Vendor Fix fix

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-43968 CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1 - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-43968.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1",
    "tracking": {
      "current_release_date": "2026-05-26T01:38:33.000Z",
      "generator": {
        "date": "2026-05-26T07:13:49.449Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-43968",
      "initial_release_date": "2026-05-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-05-15T01:02:43.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2026-05-26T01:38:33.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 rabbitmq-server 0:3.13.7-3.azl3",
                "product": {
                  "name": "\u003cazl3 rabbitmq-server 0:3.13.7-3.azl3",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 rabbitmq-server 0:3.13.7-3.azl3",
                "product": {
                  "name": "azl3 rabbitmq-server 0:3.13.7-3.azl3",
                  "product_id": "20623"
                }
              }
            ],
            "category": "product_name",
            "name": "rabbitmq-server"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 rabbitmq-server 0:3.13.7-3.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 rabbitmq-server 0:3.13.7-3.azl3 as a component of Azure Linux 3.0",
          "product_id": "20623-17084"
        },
        "product_reference": "20623",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-43968",
      "cwe": {
        "id": "CWE-93",
        "name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
      },
      "notes": [
        {
          "category": "general",
          "text": "EEF",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "20623-17084"
        ],
        "known_affected": [
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-43968 CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1 - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-43968.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-15T01:02:43.000Z",
          "details": "0:3.13.7-4.azl3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-1"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "title": "CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-43968 (GCVE-0-2026-43968)

FKIE_CVE-2026-43968

GHSA-HV23-4QP7-8C8R

MSRC_CVE-2026-43968

Tags

Sightings

Nomenclature