CVE-2026-48598

Name of the Vulnerable Software and Affected Versions tesla versions 0.8.0 through 1.18.2

Description Improper encoding or escaping of output allows multipart part header injection through unescaped Content-Disposition parameter values. The function part headers for disposition() interpolates disposition parameters without validating carriage return (r), line feed ( ), or double-quote characters. These values are received from the caller via add field() (the name parameter), add file() (the filename parameter), and add file content() (the filename parameter and other disposition options). A double-quote character can close a quoted parameter prematurely, while r sequences can terminate the Content-Disposition header to start a new forged header or end the header block to prepend bytes to the part body. Additionally, the default filename path in add file() uses Path.basename(), which does not strip carriage returns or line feeds.

Recommendations Update to version 1.18.3. Validate disposition parameter values before passing them to add field(), add file(), or add file content(), rejecting any value containing r, , or double-quotes.