CVE-2026-1502
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
CVSS
—
No CVSS
EPSS
0.6%
p43
KEV
—
Exploit Today
13
0-100
Published: Apr 10, 2026 · Last modified: Jun 30, 2026 · CWE-93
0.5%EPSS · 30 days0.6%
2026-06-302026-07-16
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
- github.comhttps://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69
- github.comhttps://github.com/python/cpython/commit/56b7100b04e44ea27989242b176beb8f016b2c53
- github.comhttps://github.com/python/cpython/commit/58703ec1bdd1eb075e8b01a0c427683ce594dd3e
- github.comhttps://github.com/python/cpython/commit/9e071c9b28c17f347f81b388a003d4eeb3c7a8dd
- github.comhttps://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed
- github.comhttps://github.com/python/cpython/commit/c00c386faa579ad71196d33408644478488e43ec
- github.comhttps://github.com/python/cpython/issues/146211
- github.comhttps://github.com/python/cpython/pull/146212
- mail.python.orghttps://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/04/11/4
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-399838.6 HIG80.4%
——24basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.2dCVE-2026-425787.5 HIG57.3%
——17Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.2dCVE-2026-422585.3 MED52.9%
——16Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.16hCVE-2026-45067—45.6%
——14### Description
`Symfony\Component\Mime\Address` is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary.
The constructor accepts email addresses whose local-part (the part before `@`) is an RFC-5322 *quoted string* containing raw `\r\n` bytes — e.g. `"x\r\nBcc: attacker@evil"@example.com`. The stored address is later emitted verbatim into (1) the rendered message headers and (2) `SmtpTransport`'s `MAIL FROM:<...>` / `RCPT TO:<...>` protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command.
### Resolution
The `Address` constructor now rejects addresses containing line breaks.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dc2dbd29211eb4ddc451373fa1374fb926e94604) for branch 5.4.
### Credits
We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.2dCVE-2026-572817.5 HIG44.4%
——13Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.2dCVE-2025-283578.8 HIG33.4%
——10A CRLF injection vulnerability in Neto CMS v6.313.0 through v6.314.0 allows attackers to execute arbitrary code via supplying a crafted HTTP request.12d