CVE-2026-7010 - Vulnerability Details

- HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values

Description

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.

The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values.

An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.

Published: 2026-05-11

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

HTTP::Tiny versions before 0.093 accept control characters in the request line and in HTTP/1.1 control data without validating them. This omission allows an attacker who controls the method, URI, host header, or other HTTP/1.1 control fields to inject additional header lines into the request. The injected headers can alter how the upstream server interprets the request, leading to HTTP request smuggling or other header manipulation scenarios. The weakness is a lack of CRLF validation (CWE‑113).

Affected Systems

HAARG HTTP::Tiny. All releases prior to 0.093 are vulnerable. Applications that embed any of those older versions are susceptible. The fix is delivered in the 0.093‑TRIAL package and later revisions.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, indicating no public evidence of exploitation yet. Exploitation requires the attacker to control input that is passed directly to HTTP::Tiny, such as a user‑supplied URL supplied to a webhook or fetch routine. When this condition is satisfied, request smuggling or header manipulation can occur. The CVSS score of 6.5 indicates moderate impact on request integrity, which justifies timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

HAARG

HTTP::Tiny

unaffected

Version	Status	Constraints
`0`	affected	< 0.093

No data.

Vendor Product Confidence Versions

Haarg

Http::tiny

100%

Version	Status	Scheme	Platform
`[0,0.093)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to HTTP-Tiny 0.093-TRIAL or later.

OpenCVE Recommended Actions

Upgrade to HTTP::Tiny 0.093‑TRIAL or newer
Validate or sanitize any URLs before passing them to HTTP::Tiny to ensure no CRLF or other control characters are present
Restrict untrusted user input that can be used as HTTP request components to a known safe set

Generated by OpenCVE AI on May 12, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/11/17
https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch
https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes

History

Tue, 12 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Haarg Haarg http::tiny
Vendors & Products		Haarg Haarg http::tiny

Tue, 12 May 2026 00:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/11/17

Mon, 11 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.
Title		HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values
Weaknesses		CWE-113
References		https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes

Subscriptions

Haarg Http::tiny

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-11T21:14:20.581Z

Updated: 2026-05-12T14:45:06.662Z

Reserved: 2026-04-25T09:18:30.030Z

Link: CVE-2026-7010

Vulnrichment

Updated: 2026-05-12T14:43:42.474Z

NVD

Status : Deferred

Published: 2026-05-11T22:22:14.750

Modified: 2026-05-12T16:48:58.260

Link: CVE-2026-7010

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T16:30:19Z

Weaknesses

CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object