Content Security Policy Vulnerability in SecureHeaders by GitHub
CVE-2026-54163

4.7MEDIUM

Key Information:

Vendor

Github

Vendor
CVE Published:
17 July 2026

What is CVE-2026-54163?

SecureHeaders manages the application of security headers with several safe defaults. Prior to version 7.3.0, it improperly constructs the Content-Security-Policy (CSP) by concatenating directives using semicolons. This flaw allows for the interpolation of untrusted input into critical CSP directives, potentially permitting an attacker to inject harmful CSP settings, such as enabling 'unsafe-inline' scripts. This could lead to Cross-Site Scripting (XSS) attacks or even exfiltration of sensitive data through CSP reports. The issue was resolved in version 7.3.0.

Affected Version(s)

secure_headers < 7.3.0

References

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.