CVE-2026-48596

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add content type param/2.

Tesla.Multipart.add content type param/2 appends caller-supplied strings to the multipart content type params list without validating for CR (r) or LF ( ) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing r splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add content type param/2 is affected.

This issue affects tesla: from 0.8.0 before 1.18.3.