Skip to main content

CWE-144

Improper Neutralization of Line Delimiters

3 CVEs Avg CVSS 6.5 MITRE
0
CRITICAL
1
HIGH
2
MEDIUM
0
LOW
1
POC
0
KEV

Monthly

CVE-2026-53878 PyPI MEDIUM PATCH This Month

Header injection in Django's DomainNameValidator allows network attackers to inject arbitrary HTTP response headers when applications pass validator-accepted domain values directly into HTTP responses, affecting Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The validator silently accepts embedded newline characters in domain name strings, enabling HTTP response splitting that can facilitate session hijacking, open redirects, or cross-site scripting against end users. No public exploit code or CISA KEV listing exists at time of analysis; practical risk is narrowed significantly by Django's HttpResponse class independently rejecting newlines, meaning only non-standard code paths are exploitable.

Code Injection Python Django
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-24367 HIGH POC PATCH THREAT Act Now

Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through the graph creation and template functionality. Attackers abuse the graphing engine to create arbitrary PHP scripts in the web root, escalating from monitoring access to full server control.

RCE PHP Cacti Suse
NVD GitHub
CVSS 4.0
8.7
EPSS
90.5%
Threat
6.0
CVE-2023-39212 MEDIUM This Month

Untrusted search path in Zoom Rooms for Windows before version 5.15.5 may allow an authenticated user to enable a denial of service via local access. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Microsoft Rooms
NVD
CVSS 3.1
5.5
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Header injection in Django's DomainNameValidator allows network attackers to inject arbitrary HTTP response headers when applications pass validator-accepted domain values directly into HTTP responses, affecting Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The validator silently accepts embedded newline characters in domain name strings, enabling HTTP response splitting that can facilitate session hijacking, open redirects, or cross-site scripting against end users. No public exploit code or CISA KEV listing exists at time of analysis; practical risk is narrowed significantly by Django's HttpResponse class independently rejecting newlines, meaning only non-standard code paths are exploitable.

Code Injection Python Django
NVD
EPSS 90% 6.0 CVSS 8.7
HIGH POC PATCH THREAT Act Now

Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through the graph creation and template functionality. Attackers abuse the graphing engine to create arbitrary PHP scripts in the web root, escalating from monitoring access to full server control.

RCE PHP Cacti +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Untrusted search path in Zoom Rooms for Windows before version 5.15.5 may allow an authenticated user to enable a denial of service via local access. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Microsoft Rooms
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy