OESA-2026-2372

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2372

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2026-2372.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2026-2372

Upstream

CVE-2026-7010

Published

2026-05-22T13:17:10Z

Modified

2026-05-22T13:30:15.707254278Z

Summary

perl-HTTP-Tiny security update

Details

This is a very simple HTTP/1.1 client, designed for doing simple requests without the overhead of a large framework like LWP::UserAgent.

Security Fix(es):

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.

The unvalidated inputs are the method and URI in the request line, the URL host that becomes the Host: header, and HTTP/1.1 control data field values.

An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.(CVE-2026-7010)

Database specific

{
    "severity": "Medium"
}

References

Affected packages

openEuler:24.03-LTS-SP3 / perl-HTTP-Tiny

Package

Name: perl-HTTP-Tiny
Purl: pkg:rpm/openEuler/perl-HTTP-Tiny&distro=openEuler-24.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.088-2.oe2403sp3

Ecosystem specific

{
    "src": [
        "perl-HTTP-Tiny-0.088-2.oe2403sp3.src.rpm"
    ],
    "noarch": [
        "perl-HTTP-Tiny-0.088-2.oe2403sp3.noarch.rpm",
        "perl-HTTP-Tiny-help-0.088-2.oe2403sp3.noarch.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-2372.json"