Content Security Policy Vulnerability in SecureHeaders by GitHub
CVE-2026-54163
4.7MEDIUM
What is CVE-2026-54163?
SecureHeaders manages the application of security headers with several safe defaults. Prior to version 7.3.0, it improperly constructs the Content-Security-Policy (CSP) by concatenating directives using semicolons. This flaw allows for the interpolation of untrusted input into critical CSP directives, potentially permitting an attacker to inject harmful CSP settings, such as enabling 'unsafe-inline' scripts. This could lead to Cross-Site Scripting (XSS) attacks or even exfiltration of sensitive data through CSP reports. The issue was resolved in version 7.3.0.
Affected Version(s)
secure_headers < 7.3.0