CVE-2026-48596

June 3, 2026, 2:16 p.m.

2.1
Low

Description

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2. Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\r) or LF (\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing \r\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected. This issue affects tesla: from 0.8.0 before 1.18.3.

Product(s) Impacted

Vendor Product Versions
Elixir-tesla
  • Tesla
  • 0.8.0-1.18.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a elixir-tesla tesla 0.8.0-1.18.3 / / / / / / /

References

https://cna.erlef.org/cves/CVE-2026-48596.html
https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w
https://osv.dev/vulnerability/EEF-CVE-2026-48596
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w

Tags

CWE-113
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
2026-06-02
CVE-2026-48596

CVSS Score

2.1 / 10

CVSS Data - 4.0

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 2, 2026, 8:16 p.m.
Last Modified: June 3, 2026, 2:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

6b3ad84c-e1a6-4bf7-a703-f496b71e49db

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.