CVE-2026-1536 MEDIUM

CVE-2026-1536: Libsoup: libsoup: http header injection or response splitting via crlf injection in content-disposition header

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-93 · CRLF injection
Published January 28, 2026
Last update March 25, 2026

CVSS base score

5.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.

Key dates

02Disclosure timeline

January 28, 2026 CVE published
March 25, 2026 Record updated