Monthly
CalDAV output generator in Vikunja allows authenticated users to inject arbitrary iCalendar properties via CRLF characters in task titles, bypassing RFC 5545 TEXT value escaping requirements. An attacker with project write access can craft malicious task titles that break iCalendar property boundaries, enabling injection of fake ATTACH URLs, VALARM notifications, or ORGANIZER spoofing when other users sync via CalDAV. Patch available in version 2.3.0; requires user interaction (calendar sync) to trigger on other users' clients.
oma package manager prior to version 1.25.2 fails to validate the name field in Topic Manifest metadata, allowing remote attackers with high privileges and network access to inject malicious APT source entries into /etc/apt/sources.list.d/atm.list. This manipulation could lead to supply chain attacks by redirecting package installation to attacker-controlled repositories, though exploitation requires specific preconditions including user interaction and partial attack timing. The vulnerability has been fixed in version 1.25.2.
Command injection in basic-ftp npm package v5.2.0 allows unauthenticated remote attackers to inject arbitrary FTP protocol commands via CRLF sequences in file path parameters. Affected methods include cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). Inadequate input sanitization in protectWhitespace() combined with direct socket writes enables attackers to split single FTP commands into multiple commands, leading to unauthorized file deletion, directory manipulation, file exfiltration, or session hijacking. Vendor-released patch available in version 5.2.1. No public exploit identified at time of analysis. EPSS unavailable.
Environment variable injection in CI4MS CMS allows remote attackers to inject arbitrary configuration directives into the .env file during installation, potentially leading to full system compromise. Versions before 0.31.4.0 fail to sanitize newline characters in the host POST parameter, enabling attackers to bypass CSRF-disabled install routes and inject malicious configuration when InstallFilter validation fails. No public exploit identified at time of analysis, though EPSS exploitation probability warrants monitoring given the unauthenticated network attack vector.
CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.
Rack versions 3.2.0 through 3.2.5 fail to properly unfold folded multipart headers containing obs-fold sequences, preserving embedded CRLF characters in parsed parameter values like filename and name. This allows unauthenticated remote attackers with high request complexity to inject HTTP response headers or split responses when applications reuse these parsed values, leading to potential session hijacking, cache poisoning, or credential theft. The vulnerability carries a moderate CVSS score of 4.8 and no public exploit code has been identified at time of analysis.
CRLF injection in Page Builder: Pagelayer WordPress plugin up to version 2.0.7 allows unauthenticated attackers to inject arbitrary email headers (Bcc, Cc, etc.) through contact form fields. The vulnerability exploits unsafe placeholder substitution in email headers without CR/LF sanitization, enabling email header spoofing and potential abuse of form email delivery systems. No public exploit code or active exploitation has been identified at time of analysis.
A CRLF injection vulnerability exists in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software that allows unauthenticated remote attackers to inject arbitrary log entries and manipulate log file structure. The vulnerability stems from insufficient input validation in the Cisco IOx management interface and affects a broad range of Cisco IOS XE Software versions from 16.6.1 through 17.18.1x. A successful exploit enables attackers to obscure legitimate log events, inject malicious log entries, or corrupt log file integrity without requiring authentication, making it particularly dangerous in environments where log analysis is relied upon for security monitoring and compliance.
The Ruby icalendar library versions prior to the patched commit fail to sanitize carriage return and line feed characters in URI property values, allowing attackers to inject arbitrary ICS calendar lines through CRLF injection. Applications that generate .ics files from untrusted metadata are affected, enabling attackers to add malicious calendar properties such as attendees, URLs, or alarms that downstream calendar clients will process as legitimate event data. A proof-of-concept demonstrating the vulnerability is publicly available, and a patch is available from the vendor.
NGINX Plus and NGINX Open Source contain an improper handling vulnerability in the ngx_mail_smtp_module that allows DNS response injection through malformed CRLF sequences. An attacker controlling a DNS server can inject arbitrary headers into SMTP upstream requests, potentially manipulating mail routing and message content. With a CVSS score of 3.7 and low attack complexity, this represents an integrity issue rather than a critical exploitability threat, though it requires network-level DNS control.
CalDAV output generator in Vikunja allows authenticated users to inject arbitrary iCalendar properties via CRLF characters in task titles, bypassing RFC 5545 TEXT value escaping requirements. An attacker with project write access can craft malicious task titles that break iCalendar property boundaries, enabling injection of fake ATTACH URLs, VALARM notifications, or ORGANIZER spoofing when other users sync via CalDAV. Patch available in version 2.3.0; requires user interaction (calendar sync) to trigger on other users' clients.
oma package manager prior to version 1.25.2 fails to validate the name field in Topic Manifest metadata, allowing remote attackers with high privileges and network access to inject malicious APT source entries into /etc/apt/sources.list.d/atm.list. This manipulation could lead to supply chain attacks by redirecting package installation to attacker-controlled repositories, though exploitation requires specific preconditions including user interaction and partial attack timing. The vulnerability has been fixed in version 1.25.2.
Command injection in basic-ftp npm package v5.2.0 allows unauthenticated remote attackers to inject arbitrary FTP protocol commands via CRLF sequences in file path parameters. Affected methods include cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). Inadequate input sanitization in protectWhitespace() combined with direct socket writes enables attackers to split single FTP commands into multiple commands, leading to unauthorized file deletion, directory manipulation, file exfiltration, or session hijacking. Vendor-released patch available in version 5.2.1. No public exploit identified at time of analysis. EPSS unavailable.
Environment variable injection in CI4MS CMS allows remote attackers to inject arbitrary configuration directives into the .env file during installation, potentially leading to full system compromise. Versions before 0.31.4.0 fail to sanitize newline characters in the host POST parameter, enabling attackers to bypass CSRF-disabled install routes and inject malicious configuration when InstallFilter validation fails. No public exploit identified at time of analysis, though EPSS exploitation probability warrants monitoring given the unauthenticated network attack vector.
CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.
Rack versions 3.2.0 through 3.2.5 fail to properly unfold folded multipart headers containing obs-fold sequences, preserving embedded CRLF characters in parsed parameter values like filename and name. This allows unauthenticated remote attackers with high request complexity to inject HTTP response headers or split responses when applications reuse these parsed values, leading to potential session hijacking, cache poisoning, or credential theft. The vulnerability carries a moderate CVSS score of 4.8 and no public exploit code has been identified at time of analysis.
CRLF injection in Page Builder: Pagelayer WordPress plugin up to version 2.0.7 allows unauthenticated attackers to inject arbitrary email headers (Bcc, Cc, etc.) through contact form fields. The vulnerability exploits unsafe placeholder substitution in email headers without CR/LF sanitization, enabling email header spoofing and potential abuse of form email delivery systems. No public exploit code or active exploitation has been identified at time of analysis.
A CRLF injection vulnerability exists in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software that allows unauthenticated remote attackers to inject arbitrary log entries and manipulate log file structure. The vulnerability stems from insufficient input validation in the Cisco IOx management interface and affects a broad range of Cisco IOS XE Software versions from 16.6.1 through 17.18.1x. A successful exploit enables attackers to obscure legitimate log events, inject malicious log entries, or corrupt log file integrity without requiring authentication, making it particularly dangerous in environments where log analysis is relied upon for security monitoring and compliance.
The Ruby icalendar library versions prior to the patched commit fail to sanitize carriage return and line feed characters in URI property values, allowing attackers to inject arbitrary ICS calendar lines through CRLF injection. Applications that generate .ics files from untrusted metadata are affected, enabling attackers to add malicious calendar properties such as attendees, URLs, or alarms that downstream calendar clients will process as legitimate event data. A proof-of-concept demonstrating the vulnerability is publicly available, and a patch is available from the vendor.
NGINX Plus and NGINX Open Source contain an improper handling vulnerability in the ngx_mail_smtp_module that allows DNS response injection through malformed CRLF sequences. An attacker controlling a DNS server can inject arbitrary headers into SMTP upstream requests, potentially manipulating mail routing and message content. With a CVSS score of 3.7 and low attack complexity, this represents an integrity issue rather than a critical exploitability threat, though it requires network-level DNS control.