CWE-113: HTTP Response Splitting — known CVE vulnerabilities
CVEs classified under CWE-113 (HTTP Response Splitting), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-38967 — CVSS 9.8 (critical): CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
CVE-2026-34520 — CVSS 9.1 (critical): AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most…
CVE-2025-53007: arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain a HTTP Response Splitting…
CVE-2024-52875 — CVSS 8.8 (high): An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and…
CVE-2018-0689 — CVSS 8.8 (high): HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13…
CVE-2018-11347 — CVSS 8.8 (high): The YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to…
CVE-2025-61689: HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate…
CVE-2018-3911 — CVSS 8.6 (high): An exploitable HTTP header injection vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version…
CVE-2016-8024 — CVSS 8.1 (high): Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and…
CVE-2026-42578 — CVSS 7.5 (high): Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler…
CVE-2018-7830 — CVSS 7.5 (high): Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in…
CVE-2026-42035 — CVSS 7.4 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the…
CVE-2026-9658 — CVSS 7.3 (high): Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection…
CVE-2025-40927 — CVSS 7.3 (high): CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting…
CVE-2026-39971 — CVSS 7.2 (high): Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php…
CVE-2015-1445 — CVSS 7.2 (high): HTTP header injection in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30.
CVE-2025-71381 — CVSS 6.5 (medium): Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the…
CVE-2026-50630 — CVSS 6.5 (medium): A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the…
CVE-2026-7010 — CVSS 6.5 (medium): HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs…
CVE-2025-41234 — CVSS 6.5 (medium): Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file…
CVE-2024-54021 — CVSS 6.5 (medium): An Improper Neutralization of CRLF Sequences in HTTP Headers ('http response splitting') vulnerability [CWE-113] in Fortinet FortiOS 7.2.0…
CVE-2026-27810 — CVSS 6.4 (medium): calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP…
CVE-2026-43966: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP…
CVE-2024-24795 — CVSS 6.3 (medium): HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into…
CVE-2024-20392 — CVSS 6.1 (medium): A vulnerability in the web-based management API of Cisco AsyncOS Software for Cisco Secure Email Gateway could allow an unauthenticated…
CVE-2018-18837 — CVSS 6.1 (medium): An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of…
CVE-2018-16181 — CVSS 6.1 (medium): HTTP header injection vulnerability in i-FILTER Ver.9.50R05 and earlier may allow remote attackers to inject arbitrary HTTP headers and…
CVE-2018-16979 — CVSS 6.1 (medium): Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to…
CVE-2018-1067 — CVSS 6.1 (medium): In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is…
CVE-2017-12308 — CVSS 6.1 (medium): A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to…
CVE-2017-1262 — CVSS 6.1 (medium): IBM Security Guardium 10.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using…
CVE-2017-7443 — CVSS 6.1 (medium): apt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP response splitting via encoded newline characters, related to lack of…
CVE-2016-5325 — CVSS 6.1 (medium): CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before…
CVE-2016-6839 — CVSS 6.1 (medium): CRLF injection vulnerability in Huawei FusionAccess before V100R006C00 allows remote attackers to inject arbitrary HTTP headers and conduct…
CVE-2016-5699 — CVSS 6.1 (medium): CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x…
CVE-2023-42450 — CVSS 5.4 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2…
CVE-2026-38978 — CVSS 5.3 (medium): transmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths.
CVE-2026-34715 — CVSS 5.3 (medium): ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates…
CVE-2026-34519 — CVSS 5.3 (medium): AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the…
CVE-2026-34514 — CVSS 5.3 (medium): AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the…
CVE-2026-22779 — CVSS 5.3 (medium): BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client…
CVE-2025-0825 — CVSS 5.3 (medium): cpp-httplib version v0.17.3 through v0.18.3 fails to filter CRLF characters ("\r\n") when those are prefixed with a null byte. This enables…
CVE-2022-37436 — CVSS 5.3 (medium): Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers…
CVE-2017-17742 — CVSS 5.3 (medium): Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting…
CVE-2017-12309 — CVSS 5.3 (medium): A vulnerability in the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a HTTP response…
CVE-2007-5595 — CVSS 5.1 (medium): CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote…
CVE-2025-0588 — CVSS 4.9 (medium): In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By…
CVE-2026-40175 — CVSS 4.8 (medium): Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific…
CVE-2022-37953 — CVSS 4.7 (medium): An HTTP response splitting vulnerability exists in the AM Gateway Challenge-Response dialog of WorkstationST (<v07.09.15) and could allow…
CVE-2020-3117 — CVSS 4.7 (medium): A vulnerability in the API Framework of Cisco AsyncOS for Cisco Web Security Appliance (WSA) and Cisco Content Security Management…