CVE-2026-7010

EUVD-2026-29344

11.05.2026, 22:22

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.

The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values.

An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.

HTTP Request/Response Splitting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Debian Releases

Debian Product

Codename

libhttp-tiny-perl

bookworm	no-dsa
forky	0.092-3 fixed
sid	0.092-3 fixed
trixie	no-dsa

perl

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	5.40.1-8 fixed
sid	5.40.1-8 fixed
trixie	vulnerable

Amazon Linux Releases

Amazon Package

Release

perl-HTTP-Tiny

Amazon Linux 2	0:0.033-3.amzn2.0.2 fixed
Amazon Linux 2023	0:0.092-2.amzn2023.0.2 fixed

perl-HTTP-Tiny-tests

Amazon Linux 2023

0:0.092-2.amzn2023.0.2

fixed

Common Weakness Enumeration

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

References

https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch

https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes

http://www.openwall.com/lists/oss-security/2026/05/11/17