CVE Catalog
CVE-2026-1502
MediumCVSS 5.7Exploitation Probability (EPSS)
Low risk0.47%
37th percentile - higher than 37% of all known CVEs
Summary
A vulnerability in the HTTP client allows CR/LF bytes to be injected into proxy tunnel headers or host, potentially leading to HTTP response splitting or cache poisoning attacks.
Risk Assessment
An attacker can manipulate HTTP responses, potentially redirecting users to malicious sites or poisoning the proxy cache.
Recommendation
Update the HTTP client library to the latest version that rejects CR/LF bytes in proxy tunnel headers and host.
Original NVD description (English source)
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

