PT-2026-39726 · Cowlib · Cowlib

Loïc Hoguin

+1

·

Published

2026-05-11

·

Updated

2026-05-27

·

CVE-2026-43968

CVSS v4.0

6.3

Medium

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
Name of the Vulnerable Software and Affected Versions cowlib versions 2.6.0 and later
Description Improper Neutralization of CRLF Sequences (CRLF Injection) allows SSE event splitting and injection through unvalidated field values. The cow sse:event/1 function guards the id and event fields against but not against r, while the internal prefix lines/2 function used for data and comment fields only splits on . Since the SSE specification treats r , r, and as equivalent line terminators, an attacker controlling these fields can inject additional SSE lines to forge events with arbitrary types and data payloads. In environments where browser EventSource clients or other SSE consumers render event.data or dispatch on event.type, this can lead to client-side logic manipulation and stored-XSS-equivalent behavior when data is inserted into the DOM.
Recommendations For versions 2.6.0 and later, sanitize user-controlled values before passing them to cow sse:event/1 by rejecting or stripping any value containing r or characters in the id, event, data, and comment fields. Ensure all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43968
GHSA-HV23-4QP7-8C8R

Affected Products

Cowlib