CVE-2026-3633
Last modified
CVE-2026-3633 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. EPSS estimates a 0.22% chance of exploitation in the next 30 days.
Description
A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gnome | Libsoup | All versions |
| Redhat | Enterprise Linux | 6.0 |
| Redhat | Enterprise Linux | 7.0 |
| Redhat | Enterprise Linux | 8.0 |
| Redhat | Enterprise Linux | 9.0 |
| Redhat | Enterprise Linux | 10.0 |
References
- https://access.redhat.com/security/cve/CVE-2026-3633Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2445128Issue Tracking, Vendor Advisory
- https://gitlab.gnome.org/GNOME/libsoup/-/issues/484Exploit, Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-3633?
How severe is CVE-2026-3633?
How do I fix CVE-2026-3633?
Are you affected by CVE-2026-3633?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST