{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34715", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.752Z", "datePublished": "2026-04-02T17:57:00.501Z", "dateUpdated": "2026-04-03T16:00:41.121Z"}, "containers": {"cna": {"title": "ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)", "problemTypes": [{"descriptions": [{"cweId": "CWE-113", "lang": "en", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf"}, {"name": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446", "tags": ["x_refsource_MISC"], "url": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446"}, {"name": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6"}], "affected": [{"vendor": "vshakitskiy", "product": "ewe", "versions": [{"version": "< 3.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:57:00.501Z"}, "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\\r\\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser \u2014 but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6."}], "source": {"advisory": "GHSA-x2w3-23jr-hrpf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:00:11.591060Z", "id": "CVE-2026-34715", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:00:41.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34715", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:00:11.591060Z"}}}], "references": [{"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:00:36.543Z"}}], "cna": {"title": "ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)", "source": {"advisory": "GHSA-x2w3-23jr-hrpf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "vshakitskiy", "product": "ewe", "versions": [{"status": "affected", "version": "< 3.0.6"}]}], "references": [{"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "name": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446", "name": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6", "name": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\\r\\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser \u2014 but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:57:00.501Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34715", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:00:41.121Z", "dateReserved": "2026-03-30T18:41:20.752Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:57:00.501Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2FC5C49-3780-4196-A493-57F172153863", "versionEndExcluding": "3.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\\r\\n) sequences. An application that passes user-controlled data into response headers (e.g., setting a Location redirect header from a request parameter) allows an attacker to inject arbitrary HTTP response content, leading to response splitting, cache poisoning, and possible cross-site scripting. Notably, ewe does validate CRLF in incoming request headers via validate_field_value() in the HTTP/1.1 parser \u2014 but provides no equivalent protection for outgoing response headers in the encoder. This issue has been patched in version 3.0.6."}], "id": "CVE-2026-34715", "lastModified": "2026-04-10T16:01:12.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-02T18:16:32.910", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vshakitskiy/ewe/commit/ce4ff214d32626a10fda9398dc94a2d720e17446"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-113"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ewe", "source": "cna", "vendor": "vshakitskiy"}, "product": "ewe", "vendor": "vshakitskiy"}], "analysis": {"en": {"generated_at": "2026-04-10T17:54:52.795797+00:00", "value": {"mitigation_remediation": ["Apply the latest release of ewe (v3.0.6 or newer) to ensure the header sanitization is enabled."], "summary": {"action": "Immediate Patch", "impact": "HTTP response splitting enabling XSS or cache poisoning"}, "threat_synthesis": {"affected_systems": "The affected product is the \"ewe\" web server, maintained by vshakitskiy. All releases prior to version 3.0.6 are vulnerable. Versions 3.0.6 and later include a patch that validates and strips CRLF sequences from outgoing headers.", "description_and_impact": "The vulnerability arises in the web server\u2019s header encoding routine, where header keys and values are inserted into the raw HTTP response without sanitizing carriage\u2011return or line\u2011feed characters. An attacker who can supply arbitrary values for response headers\u2014such as by manipulating a Location header from a user input\u2014can insert CRLF sequences. This results in an HTTP response split, allowing the injection of additional HTTP headers or arbitrary response body content. The injected content may be used for cross\u2011site scripting or to poison caching proxies. The weakness is a classic response\u2011splitting flaw. The impact is the potential to exfiltrate data, alter page content seen by users, or redirect clients to malicious sites.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is remote exploitation via normal HTTP traffic to the server. The exploit requires an attacker to control header values, something feasible when an application propagates user\u2011controlled data into response headers without sanitization."}}}}, "created": "2026-04-03T07:32:07.301665+00:00", "updated": "2026-04-13T14:28:03.672121+00:00", "vendors": ["vshakitskiy", "vshakitskiy$PRODUCT$ewe"]}