CWE-644 · Improper Neutralization of HTTP Headers for Scripting Syntax
48 CVEs classified under CWE-644 (Improper Neutralization of HTTP Headers for Scripting Syntax). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-47143 | Critical | 10.0 | 2024-02-02 | IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to HTTP header injection, caused by improper validation of input by… |
CVE-2026-26234 | High | 8.8 | 2026-02-12 | JUNG Smart Visu Server 1.1.1050 contains a request header manipulation vulnerability that allows unauthenticated attackers to override request URLs by injectin… |
CVE-2023-32465 | High | 8.8 | 2023-06-14 | Dell Power Protect Cyber Recovery, contains an Authentication Bypass vulnerability. An attacker could potentially exploit this vulnerability, leading to unaut… |
CVE-2017-6031 | High | 8.8 | 2017-05-06 | A Header Injection issue was discovered in Certec EDV GmbH atvise scada prior to Version 3.0. An "improper neutralization of HTTP headers for scripting syntax"… |
CVE-2026-33805 | High | 8.6 | 2026-04-15 | @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own he… |
CVE-2025-64484 | High | 8.5 | 2025-11-10 | OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load… |
CVE-2024-10006 | High | 8.3 | 2024-10-30 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based acces… |
CVE-2026-48126 | High | 8.2 | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --dom… |
CVE-2026-33149 | High | 8.1 | 2026-03-26 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*'… |
CVE-2024-1064 | High | 7.5 | 2024-02-03 | A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Servi… |
CVE-2024-47549 | High | 7.4 | 2024-10-25 | Sharp and Toshiba Tec MFPs improperly process query parameters in HTTP requests, which may allow contamination of unintended data to HTTP response headers. Ac… |
CVE-2025-13803 | High | 7.3 | 2025-12-01 | A vulnerability was identified in MediaCrush 1.0.0/1.0.1. The affected element is an unknown function of the file /mediacrush/paths.py of the component Header… |
CVE-2023-36921 | High | 7.2 | 2023-07-11 | SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request. This misleads SAP Diagnostics Agent to… |
CVE-2021-21265 | Medium | 6.8 | 2021-03-10 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured… |
CVE-2025-14807 | Medium | 6.5 | 2026-03-25 | IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers… |
CVE-2025-27901 | Medium | 6.5 | 2026-02-17 | IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 IBM Db2 Recovery Expert for Linux, UNIX and Windows is vulnerable to HTTP header injection, caused by impro… |
CVE-2024-51451 | Medium | 6.5 | 2026-02-04 | IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attack… |
CVE-2024-39736 | Medium | 6.5 | 2024-07-15 | IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers… |
CVE-2025-52647 | Medium | 6.1 | 2025-10-10 | The BigFix WebUI application responds with HOST information from the HTTP header field making it vulnerable to Host Header Poisoning Attacks. |
CVE-2025-27632 | Medium | 6.1 | 2025-03-25 | A Host Header Injection vulnerability in TRMTracker application may allow an attacker by modifying the host header value in an HTTP request to leverage multipl… |