CVE-2026-1536

EUVD-2026-4887

28.01.2026, 16:16

A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.

CRLF Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.8 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
redhat	CNA	5.8 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 19%

Debian Releases

Debian Product

Codename

libsoup2.4

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	vulnerable
trixie	no-dsa

libsoup3

bookworm	no-dsa
forky	3.6.5-9 fixed
sid	3.6.6-1 fixed
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

libsoup2.4

bionic	needed
focal	needed
jammy	needed
noble	needed
questing	needed
xenial	needed

libsoup3

jammy	Fixed 3.0.7-0ubuntu1+esm7 released
noble	Fixed 3.4.4-5ubuntu0.7 released
questing	Fixed 3.6.5-4ubuntu0.2 released

Common Weakness Enumeration

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

References

https://access.redhat.com/security/cve/CVE-2026-1536

https://bugzilla.redhat.com/show_bug.cgi?id=2433834