CRLF Injection Vulnerability in Cowlib by Ninenines
CVE-2026-43968

6.3MEDIUM

Key Information:

Vendor: Ninenines
Status: Cowlib
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-43968?

The Cowlib library by Ninenines contains a vulnerability that allows attackers to exploit improper neutralization of CRLF sequences, leading to potential event splitting and injection vulnerabilities. The specific issue lies in the handling of unvalidated field values in the Server-Sent Events (SSE) implementation, which does not adequately sanitize carriage return characters. This enables an attacker to craft arbitrary event types and data payloads that can adversely impact client-side logic and potentially facilitate stored-XSS-like behaviors when the injected data is rendered in the DOM. This vulnerability specifically affects Cowlib version 2.6.0.

Affected Version(s)

cowlib 2.6.0

cowlib 93b2b897cde238506c803faad4d1602d79dba7c9

References

https://cna.erlef.org/cves/CVE-2026-43968.html

relatedthird-party-advisory

https://osv.dev/vulnerability/EEF-CVE-2026-43968

https://github.com/ninenines/cowlib/commit/6165fc40efa159...

patch

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

Credit

Peter Ullrich

Loïc Hoguin

CVE-2026-43968 Data

JSON