CVE-2026-3633

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.
CRLF Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.9 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
libsoup2.4
bookworm
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
trixie
vulnerable
libsoup3
bookworm
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libsoup2.4
bionic
deferred
focal
deferred
jammy
deferred
noble
deferred
questing
deferred
xenial
deferred
libsoup3
jammy
deferred
noble
deferred
questing
deferred
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2026-3633
https://bugzilla.redhat.com/show_bug.cgi?id=2445128
https://gitlab.gnome.org/GNOME/libsoup/-/issues/484