PatchSiren

ninenines CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM ninenines CVE published 2026-06-08

CVE-2026-43966

CVE-2026-43966 is an Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib. The vulnerability allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. This issue affects cowlib from 2.9.0. The CVSS score is 6.3, and the severity is MEDIUM.

HIGH ninenines CVE published 2026-06-08

CVE-2026-43974

CVE-2026-43974 is an Unexpected Status Code or Return Value vulnerability in the gun_http module of the ninenines gun library. A malicious HTTP server can force the client into raw protocol mode via an unsolicited 101 Switching Protocols response. This occurs because the gun_http:handle_inform/8 function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain [truncated]

HIGH ninenines CVE published 2026-06-08

CVE-2026-43973

CVE-2026-43973 is an Uncontrolled Resource Consumption vulnerability in the gun_http module of the ninenines gun library. The vulnerability allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering. This occurs because the gun_http:handle/5 function accumulates incoming TCP data into the connection's buffer field using binary concatenation with no upper-bound check. A ma [truncated]

MEDIUM ninenines CVE published 2026-06-08

CVE-2026-43972

CVE-2026-43972 is an Origin Validation Error vulnerability in the gun_http2 module of ninenines gun. The vulnerability allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority. This occurs because the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. As a result [truncated]

HIGH ninenines CVE published 2026-05-11

CVE-2026-7790

CVE-2026-7790 is a denial-of-service issue in cowlib’s HTTP chunked transfer-encoding parser. The parser accepts an unbounded number of hex digits in the chunk-size field, which can force excessive CPU work and memory use while parsing. According to the advisory, a drip-fed request can make the cost even worse by causing the parser to restart its accumulated length on each partial read. This is a remotely [truncated]

LOW ninenines CVE published 2026-05-11

CVE-2026-43969

CVE-2026-43969 is a low-scoring but real header-injection issue in cowlib’s client-side Cookie header encoder. If an application passes attacker-controlled cookie names or values into cow_cookie:cookie/1, the serialized header can be manipulated to smuggle extra cookie data or inject CRLF-separated headers/request data.