CVE-2026-7010

Name of the Vulnerable Software and Affected Versions HTTP::Tiny versions prior to 0.093

Description Perl HTTP::Tiny fails to validate CRLF (Carriage Return Line Feed) sequences in HTTP request lines or control field header values. The issue involves unvalidated inputs including the method and URI in the request line, the URL host used for the "Host:" header, and HTTP/1.1 control data field values. An attacker controlling these inputs, such as through a user-supplied URL in a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.

Recommendations Update to version 0.093 or later.