CVE-2026-7010

MEDIUM 6.5

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

7th

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.

CWE	CWE-113
Vendor	haarg
Product	http::tiny
Published	May 11, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for haarg http::tiny

Be the first to know when new medium vulnerabilities affecting haarg http::tiny are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

HAARG / HTTP::Tiny

0 < 0.093

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch metacpan.org: https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes openwall.com: http://www.openwall.com/lists/oss-security/2026/05/11/17