CVE-2026-9658

HIGH 7.3

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths

CVSS Score

7.3

EPSS Score

0.0%

EPSS Percentile

9th

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

CWE	CWE-790 CWE-113
Vendor	rrwo
Product	plack::middleware::security::common
Published	May 28, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for rrwo plack::middleware::security::common

Be the first to know when new high vulnerabilities affecting rrwo plack::middleware::security::common are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

RRWO / Plack::Middleware::Security::Common

0 < 0.13.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

metacpan.org: https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes openwall.com: http://www.openwall.com/lists/oss-security/2026/05/28/9