{"api_version":"1","generated_at":"2026-05-29T16:23:38+00:00","cve":"CVE-2026-9658","urls":{"html":"https://cve.report/CVE-2026-9658","api":"https://cve.report/api/cve/CVE-2026-9658.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-9658","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-9658"},"summary":{"title":"Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths","description":"Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.\n\nThe header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,\n\n  GET /path\\r\\nHTTP/1.1\\r\\nHost: secret.example.com\n\nNote that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.","state":"PUBLISHED","assigner":"CPANSec","published_at":"2026-05-28 13:16:25","updated_at":"2026-05-29 15:29:42"},"problem_types":["CWE-113","CWE-790","CWE-790 CWE-790 Improper Filtering of Special Elements","CWE-113 CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers"],"metrics":[],"references":[{"url":"https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes","name":"https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.openwall.com/lists/oss-security/2026/05/28/9","name":"http://www.openwall.com/lists/oss-security/2026/05/28/9","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-9658","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9658","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"RRWO","product":"Plack::Middleware::Security::Common","version":"affected 0.13.1 custom","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Upgrade to 0.13.1 or later.","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"Use with the the the non_printable_chars rule to block header injections.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-05-28T22:33:29.133Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/05/28/9"}],"title":"CVE Program Container"}],"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Plack-Middleware-Security-Simple","product":"Plack::Middleware::Security::Common","programFiles":["lib/Plack/Middleware/Security/Common.pm"],"programRoutines":[{"name":"Plack::Middleware::Security::Common::header_injection"}],"repo":"https://github.com/robrwo/Plack-Middleware-Security-Simple","vendor":"RRWO","versions":[{"lessThan":"0.13.1","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.\n\nThe header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,\n\n  GET /path\\r\\nHTTP/1.1\\r\\nHost: secret.example.com\n\nNote that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-790","description":"CWE-790 Improper Filtering of Special Elements","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-113","description":"CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-28T11:36:50.565Z","orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec"},"references":[{"tags":["release-notes"],"url":"https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes"}],"solutions":[{"lang":"en","value":"Upgrade to 0.13.1 or later."}],"source":{"discovery":"UNKNOWN"},"title":"Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths","workarounds":[{"lang":"en","value":"Use with the the the non_printable_chars rule to block header injections."}],"x_generator":{"engine":"cpansec-cna-tool 0.1"}}},"cveMetadata":{"assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","assignerShortName":"CPANSec","cveId":"CVE-2026-9658","datePublished":"2026-05-28T11:36:50.565Z","dateReserved":"2026-05-26T20:57:50.718Z","dateUpdated":"2026-05-28T22:33:29.133Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-28 13:16:25","lastModifiedDate":"2026-05-29 15:29:42","problem_types":["CWE-113","CWE-790","CWE-790 CWE-790 Improper Filtering of Special Elements","CWE-113 CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"9658","Ordinal":"1","Title":"Plack::Middleware::Security::Common versions before 0.13.1 for P","CVE":"CVE-2026-9658","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"9658","Ordinal":"1","NoteData":"Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.\n\nThe header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,\n\n  GET /path\\r\\nHTTP/1.1\\r\\nHost: secret.example.com\n\nNote that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.","Type":"Description","Title":"Plack::Middleware::Security::Common versions before 0.13.1 for P"}]}}}