CWE-113 · HTTP Response Splitting

100 CVEs classified under CWE-113 (HTTP Response Splitting). Browse by severity and year.

Top CVEs for CWE-113
CVESeverityScorePublishedSummary
CVE-2026-38967Critical9.82026-06-02CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
CVE-2026-34520Critical9.12026-04-01AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted…
CVE-2024-52875High8.82025-01-31An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.c…
CVE-2021-0268High8.82021-04-22An Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') weakness in J-web of Juniper Networks Junos OS leads to buffer overflo…
CVE-2018-0689High8.82019-01-09HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions…
CVE-2018-13814High8.82018-12-13A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V14), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V1…
CVE-2018-11347High8.82018-12-04The YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to inject, into the response…
CVE-2026-41683High8.62026-05-08i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-…
CVE-2018-3911High8.62018-08-23An exploitable HTTP header injection vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore…
CVE-2025-59151High8.22025-10-27Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interfa…
CVE-2016-8024High8.12017-03-14Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote u…
CVE-2026-50269High7.52026-06-22AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload head…
CVE-2026-42578High7.52026-05-13Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT…
CVE-2022-3215High7.52022-09-28NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts use…
CVE-2018-7830High7.52018-11-30Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in all Modicon M340, Pre…
CVE-2026-42035High7.42026-04-24Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (li…
CVE-2026-9658High7.32026-05-28Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffectiv…
CVE-2026-43870High7.32026-05-05Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Head…
CVE-2025-40927High7.32025-08-29CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple tha…
CVE-2026-39971High7.22026-04-15Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTT…