Skip to main content

Plack::Middleware::Security::Common CVE-2026-9658

| EUVDEUVD-2026-32892 HIGH
Improper Filtering of Special Elements (CWE-790)
2026-05-28 CPANSec GHSA-xcq6-chp9-g954
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 19:26 vuln.today
CVSS changed
Jun 01, 2026 - 19:22 NVD
7.3 (HIGH)
Patch available
May 28, 2026 - 14:01 EUVD
CVE Published
May 28, 2026 - 11:36 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.

The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,

GET /path\r\nHTTP/1.1\r\nHost: secret.example.com

Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

AnalysisAI

Header injection filtering bypass in Plack::Middleware::Security::Common (Perl) versions prior to 0.13.1 allows remote attackers to smuggle CRLF sequences and additional headers through request paths that are not double-encoded. The flaw weakens a security middleware specifically designed to prevent header injection, and while EPSS sits at 0.03% (9th percentile) with no public exploit identified at time of analysis, downstream impact depends on how reverse proxies and Plack-based servers handle the unblocked CRLF payloads.

Technical ContextAI

Plack is the Perl PSGI (Perl Server Gateway Interface) toolkit, and Plack::Middleware::Security::Common is a CPAN module by RRWO providing a collection of security middlewares for Plack-based web applications. The root cause is CWE-790 (Improper Filtering of Special Elements), where the middleware's header-injection rule only matched double-encoded CRLF (%250D%250A) patterns rather than raw or single-encoded CRLF (\r\n) in the request path. The affected component is identified by CPE cpe:2.3:a:rrwo:plack::middleware::security::common and the flaw resides in the regex/decoding logic intended to neutralize HTTP header smuggling and response-splitting payloads before they reach the upstream application.

RemediationAI

Vendor-released patch: upgrade Plack::Middleware::Security::Common to version 0.13.1 or later from CPAN (see https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes); a typical install via cpanm Plack::Middleware::Security::Common@0.13.1 followed by application restart is sufficient. As a compensating control until upgrade, configure the upstream reverse proxy (nginx, Apache, HAProxy) to reject request paths containing raw CRLF or %0D%0A sequences - note this may break clients that legitimately send unusual but valid percent-encoded paths. Additionally, audit the broader Plack stack for any logic that trusts the unsanitized PATH_INFO/REQUEST_URI, since the middleware was previously assumed to block such payloads.

Share

CVE-2026-9658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy