DEBIAN-CVE-2026-1467

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-1467
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1467.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-1467
Upstream
  • CVE-2026-1467
Published
2026-01-27T10:15:48.597Z
Modified
2026-03-26T08:00:23.460476Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services.

References

Affected packages

Debian:11
libsoup2.4

Package

Name
libsoup2.4
Purl
pkg:deb/debian/libsoup2.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.72.0-2
2.72.0-2+deb11u1
2.72.0-2+deb11u2
2.72.0-2+deb11u3
2.72.0-3
2.72.0-4
2.74.0-1
2.74.0-2
2.74.0-3
2.74.1-1
2.74.2-1
2.74.2-2
2.74.2-3
2.74.3-1
2.74.3-2
2.74.3-3
2.74.3-3.1~exp1
2.74.3-3.1~exp2
2.74.3-3.1~exp3
2.74.3-5
2.74.3-6
2.74.3-7
2.74.3-8
2.74.3-8.1
2.74.3-9
2.74.3-10
2.74.3-10.1
2.74.3-11

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1467.json"
Debian:12
libsoup2.4

Package

Name
libsoup2.4
Purl
pkg:deb/debian/libsoup2.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.74.3-1
2.74.3-1+deb12u1
2.74.3-2
2.74.3-3
2.74.3-3.1~exp1
2.74.3-3.1~exp2
2.74.3-3.1~exp3
2.74.3-5
2.74.3-6
2.74.3-7
2.74.3-8
2.74.3-8.1
2.74.3-9
2.74.3-10
2.74.3-10.1
2.74.3-11

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1467.json"
libsoup3

Package

Name
libsoup3
Purl
pkg:deb/debian/libsoup3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.2.2-2
3.2.3-0+deb12u1
3.2.3-0+deb12u2
3.3.1-1
3.4.0-1
3.4.1-1
3.4.2-1
3.4.2-2
3.4.2-3
3.4.2-4
3.4.3-1
3.4.4-1
3.4.4-2
3.4.4-3
3.4.4-4
3.4.4-5
3.5.2-1
3.6.0-1
3.6.0-2
3.6.0-3
3.6.0-4
3.6.1-1
3.6.4-1
3.6.4-2
3.6.4-3
3.6.5-1
3.6.5-2
3.6.5-3
3.6.5-4
3.6.5-5
3.6.5-6
3.6.5-7
3.6.5-8
3.6.5-9
3.6.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1467.json"
Debian:13
libsoup2.4

Package

Name
libsoup2.4
Purl
pkg:deb/debian/libsoup2.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.74.3-10.1
2.74.3-11

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1467.json"
libsoup3

Package

Name
libsoup3
Purl
pkg:deb/debian/libsoup3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.6.5-3
3.6.5-4
3.6.5-5
3.6.5-6
3.6.5-7
3.6.5-8
3.6.5-9
3.6.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1467.json"
Debian:14
libsoup3

Package

Name
libsoup3
Purl
pkg:deb/debian/libsoup3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.5-8

Affected versions

3.*
3.6.5-3
3.6.5-4
3.6.5-5
3.6.5-6
3.6.5-7

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1467.json"