CWE-113 · HTTP Response Splitting
100 CVEs classified under CWE-113 (HTTP Response Splitting). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-38967 | Critical | 9.8 | 2026-06-02 | CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values. |
CVE-2026-34520 | Critical | 9.1 | 2026-04-01 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted… |
CVE-2024-52875 | High | 8.8 | 2025-01-31 | An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.c… |
CVE-2021-0268 | High | 8.8 | 2021-04-22 | An Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') weakness in J-web of Juniper Networks Junos OS leads to buffer overflo… |
CVE-2018-0689 | High | 8.8 | 2019-01-09 | HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions… |
CVE-2018-13814 | High | 8.8 | 2018-12-13 | A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V14), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V1… |
CVE-2018-11347 | High | 8.8 | 2018-12-04 | The YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to inject, into the response… |
CVE-2026-41683 | High | 8.6 | 2026-05-08 | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-… |
CVE-2018-3911 | High | 8.6 | 2018-08-23 | An exploitable HTTP header injection vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore… |
CVE-2025-59151 | High | 8.2 | 2025-10-27 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interfa… |
CVE-2016-8024 | High | 8.1 | 2017-03-14 | Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote u… |
CVE-2026-50269 | High | 7.5 | 2026-06-22 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload head… |
CVE-2026-42578 | High | 7.5 | 2026-05-13 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT… |
CVE-2022-3215 | High | 7.5 | 2022-09-28 | NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts use… |
CVE-2018-7830 | High | 7.5 | 2018-11-30 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in all Modicon M340, Pre… |
CVE-2026-42035 | High | 7.4 | 2026-04-24 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (li… |
CVE-2026-9658 | High | 7.3 | 2026-05-28 | Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffectiv… |
CVE-2026-43870 | High | 7.3 | 2026-05-05 | Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Head… |
CVE-2025-40927 | High | 7.3 | 2025-08-29 | CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple tha… |
CVE-2026-39971 | High | 7.2 | 2026-04-15 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTT… |