DEBIAN-CVE-2026-1536

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-1536
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1536.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-1536
Upstream
  • CVE-2026-1536
Published
2026-01-28T16:16:16.540Z
Modified
2026-03-26T08:00:45.004623Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.

References

Affected packages

Debian:11
libsoup2.4

Package

Name
libsoup2.4
Purl
pkg:deb/debian/libsoup2.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.72.0-2
2.72.0-2+deb11u1
2.72.0-2+deb11u2
2.72.0-2+deb11u3
2.72.0-3
2.72.0-4
2.74.0-1
2.74.0-2
2.74.0-3
2.74.1-1
2.74.2-1
2.74.2-2
2.74.2-3
2.74.3-1
2.74.3-2
2.74.3-3
2.74.3-3.1~exp1
2.74.3-3.1~exp2
2.74.3-3.1~exp3
2.74.3-5
2.74.3-6
2.74.3-7
2.74.3-8
2.74.3-8.1
2.74.3-9
2.74.3-10
2.74.3-10.1
2.74.3-11

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1536.json"
Debian:12
libsoup2.4

Package

Name
libsoup2.4
Purl
pkg:deb/debian/libsoup2.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.74.3-1
2.74.3-1+deb12u1
2.74.3-2
2.74.3-3
2.74.3-3.1~exp1
2.74.3-3.1~exp2
2.74.3-3.1~exp3
2.74.3-5
2.74.3-6
2.74.3-7
2.74.3-8
2.74.3-8.1
2.74.3-9
2.74.3-10
2.74.3-10.1
2.74.3-11

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1536.json"
libsoup3

Package

Name
libsoup3
Purl
pkg:deb/debian/libsoup3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.2.2-2
3.2.3-0+deb12u1
3.2.3-0+deb12u2
3.3.1-1
3.4.0-1
3.4.1-1
3.4.2-1
3.4.2-2
3.4.2-3
3.4.2-4
3.4.3-1
3.4.4-1
3.4.4-2
3.4.4-3
3.4.4-4
3.4.4-5
3.5.2-1
3.6.0-1
3.6.0-2
3.6.0-3
3.6.0-4
3.6.1-1
3.6.4-1
3.6.4-2
3.6.4-3
3.6.5-1
3.6.5-2
3.6.5-3
3.6.5-4
3.6.5-5
3.6.5-6
3.6.5-7
3.6.5-8
3.6.5-9
3.6.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1536.json"
Debian:13
libsoup2.4

Package

Name
libsoup2.4
Purl
pkg:deb/debian/libsoup2.4?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.74.3-10.1
2.74.3-11

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1536.json"
libsoup3

Package

Name
libsoup3
Purl
pkg:deb/debian/libsoup3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.6.5-3
3.6.5-4
3.6.5-5
3.6.5-6
3.6.5-7
3.6.5-8
3.6.5-9
3.6.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1536.json"
Debian:14
libsoup3

Package

Name
libsoup3
Purl
pkg:deb/debian/libsoup3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.5-8

Affected versions

3.*
3.6.5-3
3.6.5-4
3.6.5-5
3.6.5-6
3.6.5-7

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-1536.json"