CVE Catalog

CVE-2026-1502

MediumCVSS 5.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.47%

37th percentile - higher than 37% of all known CVEs

Summary

A vulnerability in the HTTP client allows CR/LF bytes to be injected into proxy tunnel headers or host, potentially leading to HTTP response splitting or cache poisoning attacks.

Risk Assessment

An attacker can manipulate HTTP responses, potentially redirecting users to malicious sites or poisoning the proxy cache.

Recommendation

Update the HTTP client library to the latest version that rejects CR/LF bytes in proxy tunnel headers and host.

Original NVD description (English source)

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS