CRITICAL🇵🇱 Wersja polska

CVE-2026-38967

CVSS 9.8pub. 2026-06-02upd. 2026-06-04

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.

🤖 AI Analysis
How it works

The response header injection vulnerability (CWE-113) consists of the fact that an application built on the Crow library accepts unvalidated data and places it directly in HTTP response headers. An attacker can provide data containing newline characters (e.g. CR/LF – \r\n), which cause injection of additional headers or even splitting of the HTTP response (HTTP response splitting). As a result, it is possible to forge the content of the server response or embed malicious headers.

Impact

An attacker can conduct attacks such as HTTP response splitting, cache poisoning, XSS or redirect users to malicious websites, leading to violations of confidentiality, integrity and availability of application resources.

Mitigation & patch

The CrowCpp Crow library should be updated to a version containing the fix described in pull request #1167 in the project repository (https://github.com/CrowCpp/Crow/pull/1167). Patches available from the vendor should be applied according to the references.

Who is affected

CrowCpp Crow in versions up to v1.3.1 inclusive

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References