What is CVE-2026-9679?

CVE-2026-9679 is a medium-severity vulnerability in Undici, classified under CRLF Injection. CVSS score: 5.9/10. Published 2026-06-17.

How severe is CVE-2026-9679?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Vulnerability in Undici

CVE-2026-9679

Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and br…

Vulnerability class: CRLF Injection

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N.

Affected products

Undici — versions 0, 6.26.0, 7.0.0

Weakness classification (CWE)

CWE-93 — CRLF Injection

References

ce714d77-add3-4f53-aff5-83d477b104bb
ce714d77-add3-4f53-aff5-83d477b104bb

Frequently asked questions

What is CVE-2026-9679?: CVE-2026-9679 is a medium-severity vulnerability in Undici, classified under CRLF Injection. CVSS score: 5.9/10. Published 2026-06-17.
How severe is CVE-2026-9679?: Medium severity. CVSS v3 base score is 5.9 out of 10.