CVE-2026-7010: CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in HAARG HTTP::Tiny
CVE-2026-7010 is a vulnerability in HAARG HTTP::Tiny versions before 0. 093 for Perl where CRLF sequences in HTTP request lines and header values are not properly validated. This allows an attacker controlling inputs such as the HTTP method, URI, or Host header to inject additional headers and perform HTTP request/response splitting attacks. No official patch or remediation guidance is currently available. There are no known exploits in the wild at this time.
AI Analysis
Technical Summary
HAARG HTTP::Tiny versions prior to 0.093 for Perl do not validate carriage return and line feed (CRLF) characters in HTTP request lines or control field header values. Specifically, the method, URI, URL host (which forms the Host header), and HTTP/1.1 control data field values are susceptible to injection of CRLF sequences. An attacker who can supply these inputs, such as through user-supplied URLs passed to webhook or URL fetch endpoints, can inject additional HTTP headers and smuggle requests to upstream servers, leading to HTTP request/response splitting vulnerabilities classified under CWE-113.
Potential Impact
The vulnerability allows attackers to inject arbitrary HTTP headers and manipulate HTTP requests sent to upstream servers. This can lead to HTTP request/response splitting attacks, potentially enabling cache poisoning, cross-site scripting, or other HTTP-level attacks depending on the context in which HTTP::Tiny is used. However, no known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should avoid passing untrusted input directly to HTTP::Tiny request lines or headers. Implement input validation or sanitization to prevent CRLF injection in HTTP method, URI, and header values.
CVE-2026-7010: CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in HAARG HTTP::Tiny
Description
CVE-2026-7010 is a vulnerability in HAARG HTTP::Tiny versions before 0. 093 for Perl where CRLF sequences in HTTP request lines and header values are not properly validated. This allows an attacker controlling inputs such as the HTTP method, URI, or Host header to inject additional headers and perform HTTP request/response splitting attacks. No official patch or remediation guidance is currently available. There are no known exploits in the wild at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
HAARG HTTP::Tiny versions prior to 0.093 for Perl do not validate carriage return and line feed (CRLF) characters in HTTP request lines or control field header values. Specifically, the method, URI, URL host (which forms the Host header), and HTTP/1.1 control data field values are susceptible to injection of CRLF sequences. An attacker who can supply these inputs, such as through user-supplied URLs passed to webhook or URL fetch endpoints, can inject additional HTTP headers and smuggle requests to upstream servers, leading to HTTP request/response splitting vulnerabilities classified under CWE-113.
Potential Impact
The vulnerability allows attackers to inject arbitrary HTTP headers and manipulate HTTP requests sent to upstream servers. This can lead to HTTP request/response splitting attacks, potentially enabling cache poisoning, cross-site scripting, or other HTTP-level attacks depending on the context in which HTTP::Tiny is used. However, no known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should avoid passing untrusted input directly to HTTP::Tiny request lines or headers. Implement input validation or sanitization to prevent CRLF injection in HTTP method, URI, and header values.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-04-25T09:18:30.030Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a026bb1cbff5d86106f2cf4
Added to database: 5/11/2026, 11:52:17 PM
Last enriched: 5/12/2026, 12:06:19 AM
Last updated: 5/12/2026, 1:34:09 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.