CVE-2026-3633

low-risk

Published 2026-03-17

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.9/10 Low

NETWORK / HIGH complexity

Affected Products (6)

Libsoup

Enterprise Linux

Affected Vendors

Redhat Gnome

References (3)

Vendor Advisory https://access.redhat.com/security/cve/CVE-2026-3633

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2445128

Exploit https://gitlab.gnome.org/GNOME/libsoup/-/issues/484

/ 100

low-risk

Severity 13/34 · Low

Exploitability 0/34 · Minimal

Exposure 13/34 · Low