CVE-2026-34715

Published: Apr 2, 2026

Modified: Apr 3, 2026

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser — but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6.

Vendor	Product	Versions
vshakitskiy	ewe	affected `< 3.0.6`

Weaknesses (CWE)

CWE-113

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf

x_refsource_CONFIRM

https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446

x_refsource_MISC

https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-34715

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References