PatchSiren cyber security CVE debrief
CVE-2026-54163 github CVE debrief
CVE-2026-54163 is a MEDIUM severity vulnerability in secure_headers that allows attackers to inject Content-Security-Policy directives. This issue, fixed in version 7.3.0, enables attackers to inject CSP directives such as script-src 'unsafe-inline' * before the legitimate script-src, potentially leading to XSS or CSP report exfiltration. The vulnerability arises from the insecure construction of the Content-Security-Policy value by stitching directives with ; separators. Specifically, the build_sandbox_list_directive, build_media_type_list_directive, and build_report_to_directive functions interpolate caller-supplied strings without properly scrubbing ;, , or . Users of secure_headers prior to version 7.3.0 should review their current version, update to 7.3.0 or later, and ensure that Content-Security-Policy directives are properly sanitized to prevent such attacks.
- Vendor
- github
- Product
- secure_headers
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of secure_headers prior to version 7.3.0 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing their current version, updating to 7.3.0 or later, and ensuring that Content-Security-Policy directives are properly sanitized.
Technical summary
The secure_headers library, prior to version 7.3.0, builds the Content-Security-Policy value by stitching directives with ; separators. The build_sandbox_list_directive, build_media_type_list_directive, and build_report_to_directive functions interpolate caller-supplied strings without scrubbing ;, , or . This allows an attacker to inject a CSP directive, such as script-src 'unsafe-inline' *, before the legitimate script-src, potentially enabling XSS or CSP report exfiltration.
Defensive priority
High
Recommended defensive actions
- Review and update secure_headers to version 7.3.0 or later
- Ensure Content-Security-Policy directives are properly sanitized
- Monitor for suspicious CSP directive injections
- Implement additional security measures to prevent XSS and report exfiltration
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record was published on 2026-07-17T21:17:08.107Z and has not been modified since then. The NVD entry is currently 4.7 MEDIUM. Limited evidence is available, and further investigation is recommended. The secure_headers library, prior to version 7.3.0, builds the Content-Security-Policy value by stitching directives with ; separators. The build_sandbox_list_directive, build_media_type_list_directive, and build_report_to_directive functions interpolate caller-supplied strings without scrubbing ;, , or . This allows an attacker to inject a CSP directive, such as script-src 'unsafe-inline' *, before the legitimate script-src, potentially enabling XSS or CSP report exfiltration. Users of secure_headers prior to version 7.3.0 should review their current version, update to 7.3.0 or later, and ensure that Content-Security-Policy directives are properly sanitized.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:08.107Z and has not been modified since then.