CVE-2026-48598
Severity CVSS v4.0:
LOW
Type:
Unavailable / Other
Publication date:
02/06/2026
Last modified:
03/06/2026
Description
Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.<br />
<br />
Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.<br />
<br />
This issue affects tesla: from 0.8.0 before 1.18.3.
Impact
Base Score 4.0
2.10
Severity 4.0
LOW
References to Advisories, Solutions, and Tools
- https://cna.erlef.org/cves/CVE-2026-48598.html
- https://github.com/elixir-tesla/tesla/commit/bb1a2c3da2775924d96e3db8e315dcc4d5d2246e
- https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4
- https://osv.dev/vulnerability/EEF-CVE-2026-48598
- https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4