Untriaged
Permalink
CVE-2026-3633
3.9 LOW
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): HIGH
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): LOW
Libsoup: libsoup: header and http request injection via crlf injection
A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.
References
Affected products
libsoup
libsoup3
Matching in nixpkgs
pkgs.libsoup_3
HTTP client/server library for GNOME
pkgs.libsoup_2_4
HTTP client/server library for GNOME
pkgs.tests.pkg-config.defaultPkgConfigPackages.%22libsoup-gnome-2.4%22
Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4
Package maintainers
-
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
-
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
-
@lovek323 Jason O'Conal <jason@oconal.id.au>
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@bobby285271 Bobby Rong <rjl931189261@126.com>
-
@jtojnar Jan Tojnar <jtojnar@gmail.com>