HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9658Published Modified CNA CPANSec

CVE-2026-9658: Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.

Metrics

CVSS v3.1
7.3
Severity
HIGH
Fixed in
0.13.1
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a header injection vulnerability in Plack::Middleware::Security::Common, a Perl security middleware for Plack-based web applications, affecting all versions before 0.13.1. The flaw is reachable over the network with no authentication required, meaning any client that can send HTTP requests to the application can attempt exploitation. Successful exploitation allows an attacker to inject arbitrary HTTP headers or manipulate request routing, potentially leading to limited disclosure, tampering with request data, and minor service disruption. A patched-image rebuild at version 0.13.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9658 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using feeds from upstream sources including CPANSec. Matching covers images in customer registries and CI/CD pipelines, including custom-built images that bundle Plack::Middleware::Security::Common.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.3 (HIGH) and weighting findings against each environment's configured compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available
Patch

A patched-image rebuild targeting Plack::Middleware::Security::Common 0.13.1 is available on HarborGuard for any image found running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test pass, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the application over the network by sending a crafted HTTP request to the exposed service.

  • AuthenticationNot required

    No credentials or account are needed; any unauthenticated client that can send HTTP requests to the server can attempt the injection.

  • Victim interactionNot required

    No user action is required; the attacker sends the malicious request directly to the server without involving any end user.

  • Attack complexityDetail

    The exploit is reliable and condition-free, requiring no race conditions or special environmental setup beyond network access to the target.

Blast Radius

  • Attacker injects arbitrary HTTP headers into server-side request processing, potentially influencing downstream proxy or application logic.
  • Attacker reads portions of response data or internal routing information exposed through header manipulation, achieving limited confidentiality impact.
  • Attacker modifies how requests are interpreted or forwarded, tamping with application-layer behavior at a limited scope.
  • Attacker may cause minor disruption to request handling or routing, degrading service availability in a limited way.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-9658 activates as soon as the CVE enters upstream feeds, with images in customer registries and pipelines matched automatically regardless of whether they use a vendor base image or a custom-built layer that bundles the affected Perl module. Where compliance policy permits, auto-remediation customers receive a rebuilt image at Plack::Middleware::Security::Common 0.13.1, a regression-test run against that image, and a pull request opened against affected workloads. For high-severity CVEs, the median time from publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. Customers not using auto-remediation will see the finding in their HarborGuard dashboard scored at CVSS 7.3 (HIGH) and routed to the appropriate team based on configured ownership policies.

See how HarborGuard automates this

Fix available

0.13.1
Affected packages
  • RRWO / Plack::Middleware::Security::Common
    < 0.13.1 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References