PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54163 github CVE debrief

CVE-2026-54163 is a MEDIUM severity vulnerability in secure_headers that allows attackers to inject Content-Security-Policy directives. This issue, fixed in version 7.3.0, enables attackers to inject CSP directives such as script-src 'unsafe-inline' * before the legitimate script-src, potentially leading to XSS or CSP report exfiltration. The vulnerability arises from the insecure construction of the Content-Security-Policy value by stitching directives with ; separators. Specifically, the build_sandbox_list_directive, build_media_type_list_directive, and build_report_to_directive functions interpolate caller-supplied strings without properly scrubbing ;, , or . Users of secure_headers prior to version 7.3.0 should review their current version, update to 7.3.0 or later, and ensure that Content-Security-Policy directives are properly sanitized to prevent such attacks.

Vendor
github
Product
secure_headers
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of secure_headers prior to version 7.3.0 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing their current version, updating to 7.3.0 or later, and ensuring that Content-Security-Policy directives are properly sanitized.

Technical summary

The secure_headers library, prior to version 7.3.0, builds the Content-Security-Policy value by stitching directives with ; separators. The build_sandbox_list_directive, build_media_type_list_directive, and build_report_to_directive functions interpolate caller-supplied strings without scrubbing ;, , or . This allows an attacker to inject a CSP directive, such as script-src 'unsafe-inline' *, before the legitimate script-src, potentially enabling XSS or CSP report exfiltration.

Defensive priority

High

Recommended defensive actions

  • Review and update secure_headers to version 7.3.0 or later
  • Ensure Content-Security-Policy directives are properly sanitized
  • Monitor for suspicious CSP directive injections
  • Implement additional security measures to prevent XSS and report exfiltration
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-07-17T21:17:08.107Z and has not been modified since then. The NVD entry is currently 4.7 MEDIUM. Limited evidence is available, and further investigation is recommended. The secure_headers library, prior to version 7.3.0, builds the Content-Security-Policy value by stitching directives with ; separators. The build_sandbox_list_directive, build_media_type_list_directive, and build_report_to_directive functions interpolate caller-supplied strings without scrubbing ;, , or . This allows an attacker to inject a CSP directive, such as script-src 'unsafe-inline' *, before the legitimate script-src, potentially enabling XSS or CSP report exfiltration. Users of secure_headers prior to version 7.3.0 should review their current version, update to 7.3.0 or later, and ensure that Content-Security-Policy directives are properly sanitized.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:08.107Z and has not been modified since then.