CVE-2026-9658

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.<br /> <br /> The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,<br /> <br /> GET /path\r\nHTTP/1.1\r\nHost: secret.example.com<br /> <br /> Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.