{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34715", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.752Z", "datePublished": "2026-04-02T17:57:00.501Z", "dateUpdated": "2026-04-03T16:00:41.121Z"}, "containers": {"cna": {"title": "ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)", "problemTypes": [{"descriptions": [{"cweId": "CWE-113", "lang": "en", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf"}, {"name": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446", "tags": ["x_refsource_MISC"], "url": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446"}, {"name": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6"}], "affected": [{"vendor": "vshakitskiy", "product": "ewe", "versions": [{"version": "< 3.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:57:00.501Z"}, "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\\r\\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser \u2014 but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6."}], "source": {"advisory": "GHSA-x2w3-23jr-hrpf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:00:11.591060Z", "id": "CVE-2026-34715", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:00:41.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34715", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:00:11.591060Z"}}}], "references": [{"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:00:36.543Z"}}], "cna": {"title": "ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)", "source": {"advisory": "GHSA-x2w3-23jr-hrpf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "vshakitskiy", "product": "ewe", "versions": [{"status": "affected", "version": "< 3.0.6"}]}], "references": [{"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "name": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446", "name": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6", "name": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\\r\\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser \u2014 but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:57:00.501Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34715", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:00:41.121Z", "dateReserved": "2026-03-30T18:41:20.752Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:57:00.501Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\\r\\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser \u2014 but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6."}], "id": "CVE-2026-34715", "lastModified": "2026-04-03T16:16:40.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:32.910", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446"}, {"source": "security-advisories@github.com", "url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6"}, {"source": "security-advisories@github.com", "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-113"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ewe", "source": "cna", "vendor": "vshakitskiy"}, "product": "ewe", "vendor": "vshakitskiy"}], "analysis": {"en": {"generated_at": "2026-04-02T22:53:57.342272+00:00", "value": {"mitigation_remediation": ["Apply the official patch to upgrade ewe to version 3.0.6 or later", "If an immediate upgrade is not feasible, modify the application logic so that any user input passed to response headers is sanitized or rejected before being encoded", "Implement a custom header validator that removes or rejects CRLF sequences in outgoing headers", "Continuously monitor server logs for unexpected header patterns or repeated attempts to inject CRLF characters", "If a workaround cannot prevent header injection, consider temporarily disabling features that allow user\u2011controlled header values until the patch is applied"], "summary": {"action": "Patch Now", "impact": "Response Splitting and XSS via CRLF Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the web server software named ewe, developed by vshakitskiy. All releases prior to version 3.0.6 are susceptible because they use the unguarded encoder function. The patch that fixes the issue is included in the 3.0.6 release.", "description_and_impact": "The flaw lies in the encode_headers function of the web server, which inserts header keys and values directly into the HTTP bytes without removing CRLF (\r\\n) sequences. Because of this, an attacker who can supply arbitrary data to a response header\u2014such as setting a Location redirect header from a request parameter\u2014can inject extra CRLFs. This allows the attacker to break the intended response structure and inject additional HTTP content, leading to HTTP response splitting, cache poisoning, and, depending on the context, cross\u2011site scripting. The weakness corresponds to the Common Weakness Enumeration item CWE\u2011113: Improper Neutralization of CRLF Sequences.", "risk_and_exploitability": "The Common Vulnerability Scoring System assigns a score of 5.3, indicating a moderate severity. The Exploit Prediction Scoring System score is not available, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. The likely attack vector is remote, requiring the ability to send specially crafted HTTP requests to the vulnerable server. No privileged access is needed; an attacker can simply send a request containing a header value with CRLF characters to trigger the vulnerability. Once exploited, the attacker can interfere with client browsers, manipulate cache entries, or embed malicious scripts, depending on the header context."}}}}, "created": "2026-04-03T07:32:07.301665+00:00", "updated": "2026-04-03T09:17:08.227968+00:00", "vendors": ["vshakitskiy", "vshakitskiy$PRODUCT$ewe"]}