PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43966 ninenines CVE debrief

CVE-2026-43966 is an Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib. The vulnerability allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. This issue affects cowlib from 2.9.0. The CVSS score is 6.3, and the severity is MEDIUM.

Vendor
ninenines
Product
cowlib
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-09
Advisory published
2026-06-08
Advisory updated
2026-06-09

Who should care

Users of ninenines cowlib from version 2.9.0 should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability is caused by the cow_http_struct_hd:escape_string/2 function in cowlib, which only escapes backslashes and double quotes, but not other special characters like CR and LF. This creates an asymmetry between the encoder and decoder, allowing an attacker to inject CRLF sequences into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update cowlib to a version that fixes this vulnerability.
  • Use a version of cowlib that is not affected by this vulnerability.

Evidence notes

The CVE record was published on 2026-06-08T17:16:43.447Z and modified on 2026-06-09T15:20:13.097Z. The vulnerability has a CVSS score of 6.3 and a severity of MEDIUM.

Official resources

CVE-2026-43966 was published on 2026-06-08T17:16:43.447Z and modified on 2026-06-09T15:20:13.097Z.