CVE-2026-49756 is an Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in the Req library. This vulnerability allows multipart parameter smuggling via attacker-influenced part metadata. The issue arises from the `Req.Utils.encode_form_part/2` function in `lib/req/utils.ex`, which builds per-part headers by directly interpolating caller-supplied values (name, filename, and content_ [truncated]
CVE-2026-49755 is a HIGH severity vulnerability in Req, a popular Erlang library. The vulnerability allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. This occurs due to improper handling of highly compressed data, also known as data amplification. Req's default response pipeline includes steps to decode and decompress the body, which can lead [truncated]
