Donenfeld

**Name of the Vulnerable Software and Affected Versions** CGit versions prior to 0.12 **Description** The issue allows remote attackers with permission to write to a repository to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via newline characters in a filename. This is due to a CRLF injection vulnerability in the cgit print http headers function in ui-shared.c. **Recommendations** For CGit versions prior to 0.12, update to version 0.12 or later to resolve the issue. As a temporary workaround, consider restricting write access to repositories to minimize the risk of exploitation. Avoid using newline characters in filenames until the issue is resolved.