VDB

DEBIAN-CVE-2026-1467

DEBIAN-CVE-2026-1467 PUBLISHED CVSS 5.300000190734863 MEDIUM

A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services.

Risk Scores

CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Products

VendorProductVersions
Debian:13libsoup2.40, 2.74.3-10.1, 2.74.3-11
Debian:12libsoup33.4.1-1, 3.4.2-1, 3.4.2-2
Debian:14libsoup33.6.5-3, 0, 3.6.5-7
Debian:12libsoup2.42.74.3-8, 2.74.3-1, 2.74.3-1+deb12u1
Debian:13libsoup33.6.6-1, 3.6.5-3, 0
Debian:11libsoup2.42.74.2-3, 2.74.2-2, 2.74.1-1

Timeline

  • Jan 27, 2026 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›