CVE-2026-48598

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.

Tesla.Multipart.part headers for disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (r), LF ( ), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add field/4 (the name parameter), Tesla.Multipart.add file/3, and Tesla.Multipart.add file content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a r ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second r , ends the entire part header block and prepends bytes to the part body. The default-filename path in add file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.

This issue affects tesla: from 0.8.0 before 1.18.3.