CWE-93: CRLF Injection — known CVE vulnerabilities
CVEs classified under CWE-93 (CRLF Injection), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2024-51501: Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit attributes (Header…
CVE-2026-45372 — CVSS 9.9 (critical): cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an…
CVE-2026-11362 — CVSS 9.8 (critical): DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise…
CVE-2025-40671: SQL injection vulnerability in AES Multimedia's Gestnet v1.07. This vulnerability allows an attacker to retrieve, create, update and delete…
CVE-2026-11373 — CVSS 9.1 (critical): Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol…
CVE-2026-50638 — CVSS 9.1 (critical): Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and…
CVE-2026-9270 — CVSS 9.1 (critical): DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing…
CVE-2026-39958 — CVSS 9.1 (critical): oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics)…
CVE-2026-39849 — CVSS 8.8 (high): Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the…
CVE-2026-34458 — CVSS 8.8 (high): Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection…
CVE-2026-5140 — CVSS 8.8 (high): Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute…
CVE-2025-28357 — CVSS 8.8 (high): A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted…
CVE-2025-8715 — CVSS 8.8 (high): Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time…
CVE-2021-39172 — CVSS 8.8 (high): Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin)…
CVE-2026-23953 — CVSS 8.7 (high): Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a…
CVE-2025-53094: ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and…
CVE-2026-39983 — CVSS 8.6 (high): basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path…
CVE-2026-1714 — CVSS 8.6 (high): The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to…
CVE-2026-41230 — CVSS 8.5 (high): Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types…
CVE-2026-34975 — CVSS 8.5 (high): Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in…
CVE-2024-36459: A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and…
CVE-2026-32993 — CVSS 8.3 (high): Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject…
CVE-2026-50637 — CVSS 8.2 (high): Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and…
CVE-2026-46720 — CVSS 8.2 (high): Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines…
CVE-2025-59151 — CVSS 8.2 (high): Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application…
CVE-2023-38551 — CVSS 8.2 (high): A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code…
CVE-2024-20337 — CVSS 8.2 (high): A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a…
CVE-2026-39394 — CVSS 8.1 (high): CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme…
CVE-2017-15400 — CVSS 7.8 (high): Insufficient restriction of IPP filters in CUPS in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker to execute a command…
CVE-2025-52479: HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs)…
CVE-2026-57281 — CVSS 7.5 (high): Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions…
CVE-2026-55603 — CVSS 7.5 (high): http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented…
CVE-2026-50269 — CVSS 7.5 (high): AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into…
CVE-2026-12143 — CVSS 7.5 (high): form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to…
CVE-2026-46741 — CVSS 7.5 (high): Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons…
CVE-2026-47075 — CVSS 7.5 (high): Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode…
CVE-2026-6351 — CVSS 7.5 (high): MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this…
CVE-2026-33128 — CVSS 7.5 (high): H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to…
CVE-2026-22777 — CVSS 7.5 (high): ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject…
CVE-2026-21428 — CVSS 7.5 (high): cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function…
CVE-2025-27111 — CVSS 7.5 (high): Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header…
CVE-2024-48868 — CVSS 7.5 (high): An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system…
CVE-2024-48867 — CVSS 7.5 (high): An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system…
CVE-2024-1226 — CVSS 7.5 (high): The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The…
CVE-2022-0666 — CVSS 7.5 (high): CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber…
CVE-2018-19585 — CVSS 7.5 (high): GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project…
CVE-2018-1000164 — CVSS 7.5 (high): gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers"…