CWE-113

HTTP Response Splitting

No catalog description on file. The MITRE CWE site has the canonical reference.

CVEs (total)

4

Critical

0

High

0

Medium

2

Low

1

Severity distribution

Recent CVEs

showing 4 of 4

CVE-2026-50630Medium· 6.5EPSS 0%21 h ago
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) character
CVE-2026-44489Low· 3.7EPSS 0%1 d ago
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
npm
CVE-2026-49214Medium· 5.3EPSS 0%2 d ago
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application acce
CVE-2026-43966—EPSS 0%4 d ago
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow_http_struct_hd:escap

CWE catalog data sourced from MITRE. CVE associations come from NVD weakness mappings; some CVEs carry multiple CWEs.