Skip to main content

Suse CVE-2026-45372

| EUVDEUVD-2026-33427 CRITICAL
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-05-29 GitHub_M
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
SUSE
CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Patch available
May 29, 2026 - 21:02 EUVD
Analysis Generated
May 29, 2026 - 20:30 vuln.today

DescriptionGitHub Advisory

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.

AnalysisAI

HTTP response/header injection in cpp-httplib server versions prior to 0.44.0 allows remote unauthenticated attackers to smuggle CRLF sequences into stored header values, because the is_field_value validity check runs before percent-decoding lets %0D%0A through and expand to literal \r\n. The CVSS 9.9 score with Scope:Changed reflects the ability to influence downstream HTTP components, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Conduct inventory of all systems running cpp-httplib and identify version numbers to assess exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed
openSUSE Leap 16.0 Fixed

Share

CVE-2026-45372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy