Twisted Software Foundation · Twisted · CVE-2026-44546
**Name of the Vulnerable Software and Affected Versions**
daphne versions prior to 4.2.2
**Description**
A parser differential exists when reconstructing raw HTTP requests from Twisted's parsed headers for WebSocket handshake processing in autobahn. While Twisted does not recognize the bytes `x0b`, `x0c`, `x1c`, `x1d`, `x1e`, or `x85` as header line separators, autobahn decodes these values to strings and utilizes the `splitlines()` function. This discrepancy allows an attacker to inject additional headers into the ASGI scope passed to the application.
**Recommendations**
Update to version 4.2.2 or later.