CVE-2026-21428

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions cpp-httplib versions prior to 0.30.0

Description The write headers function in cpp-httplib does not properly validate user-supplied headers, specifically failing to check for carriage return (CR) and line feed (LF) characters. This allows attackers to inject additional headers, potentially modify the request body, and trigger a Server-Side Request Forgery (SSRF) attack. When used with servers supporting HTTP/1.1 pipelining, the risk of SSRF is increased. The vulnerable component is the write headers function.

Recommendations Update to version 0.30.0 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-93

Related Identifiers

BDU:2026-00006

CVE-2026-21428

GHSA-WPC6-J37R-JCX7

OPENSUSE-SU-2026:10435-1

OPENSUSE-SU-2026:20733-1

SUSE-SU-2026:21599-1

Affected Products

Debian

Cpp-Httplib

CVE-2026-21428

Weakness Enumeration

Related Identifiers

Affected Products

References · 24