CVE-2026-7010

Source
https://cve.org/CVERecord?id=CVE-2026-7010
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7010.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7010
Downstream
Related
Published
2026-05-11T21:14:20.581Z
Modified
2026-07-15T01:49:12.102046362Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values
Details

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.

The unvalidated inputs are the method and URI in the request line, the URL host that becomes the Host: header, and HTTP/1.1 control data field values.

An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.

Database specific
{
    "cna_assigner": "CPANSec",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7010.json",
    "cwe_ids": [
        "CWE-113"
    ]
}
References

Affected packages

Git / github.com/perl-toolchain-gang/http-tiny

Affected ranges

Type
GIT
Repo
https://github.com/perl-toolchain-gang/http-tiny
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.093"
        }
    ]
}

Affected versions

release-0.*
release-0.001
release-0.002
release-0.003
release-0.004
release-0.005
release-0.006
release-0.007
release-0.008
release-0.009
release-0.010
release-0.011
release-0.012
release-0.013
release-0.014
release-0.015
release-0.016
release-0.017
release-0.018
release-0.019
release-0.020
release-0.021
release-0.022
release-0.023
release-0.024
release-0.025
release-0.026
release-0.027
release-0.028
release-0.029
release-0.030
release-0.031
release-0.032
release-0.033
release-0.034
release-0.035
release-0.036
release-0.037
release-0.038
release-0.039
release-0.040
release-0.041
release-0.042
release-0.043
release-0.044
release-0.045
release-0.046
release-0.047
release-0.048
release-0.049
release-0.050
release-0.051
release-0.052
release-0.053
release-0.054
release-0.055
release-0.056
release-0.057
release-0.058
release-0.059
release-0.061
release-0.063
release-0.064
release-0.065
release-0.067
release-0.068
release-0.069
release-0.070
release-0.071
release-0.073
release-0.074
release-0.075
release-0.076
release-0.077
release-0.078
release-0.079
release-0.080
release-0.081
release-0.082
release-0.083
release-0.084
release-0.086
release-0.088
release-0.089
release-0.090
release-0.091
release-0.092

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7010.json"