CVE-2025-40927

Name of the Vulnerable Software and Affected Versions CGI::Simple versions prior to 1.282

Description CGI::Simple contains a HTTP response splitting flaw that allows HTTP response header injection. This can be exploited to perform reflected cross-site scripting (XSS), open redirect, cache poisoning, or header manipulation attacks. An attacker can inject a newline character (e.g., %0A) into a query string parameter to break the HTTP header and inject new headers or an entire body, potentially delivering a script payload reflected in the server’s response. The validation mechanisms in place can be bypassed using URL-encoded values.

Recommendations Update CGI::Simple to version 1.282 or later.