CVE-2026-9658

CVE-2026-9658: Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths

Vendor Rrwo
Product Plack::Middleware::Security::Common
Weakness CWE-790
Published May 28, 2026
Last update June 1, 2026

CVSS base score

What the vulnerability does

01Description

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
June 1, 2026 Record updated