CVE-2026-3634
CWE-93Published: March 17, 2026· Updated: Mar 19, 2026
Official Description
A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.
Technical Analysis
CVE-2026-3634 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
Official Patches & Advisories
All References (4)
Quick Facts
Related CVEs (CWE-93)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-3634 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts