CRLF Injection Vulnerability in HTTP::Tiny for Perl
CVE-2026-7010

Currently unrated

Key Information:

Vendor

Haarg

Status
Http::tiny
Vendor
CVE Published:
11 May 2026

What is CVE-2026-7010?

The HTTP::Tiny module for Perl prior to version 0.093 fails to properly validate the CRLF sequences in HTTP request lines and control field header values. This oversight allows attackers to manipulate the method and URI inputs, as well as the URL host which populates the Host header. Consequently, malicious users can inject unauthorized headers and perform request smuggling to the upstream server, potentially leading to various security breaches.

Affected Version(s)

HTTP::Tiny 0 < 0.093

References

https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d...
patch
https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/...
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.