Cyber Posture

CVE-2026-21428

HighPublic PoC

Published: 01 January 2026

Published
01 January 2026
Modified
06 January 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0002 5.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21428 is a high-severity CRLF Injection (CWE-93) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a remotely exploitable CRLF/header injection flaw in a public-facing HTTP library, directly enabling T1190 (Exploit Public-Facing Application) with no authentication required.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows…

more

attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.

Deeper analysisAI

CVE-2026-21428 affects cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, in versions prior to 0.30.0. The vulnerability resides in the `write_headers` function, which fails to validate user-supplied header values for carriage return (CR) and line feed (LF) characters. This oversight allows malicious header values to escape their intended lines, enabling header injection. The issue is classified under CWE-93 (Improper Neutralization of CRLF Sequences) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact from network-accessible exploitation without privileges.

Remote attackers can exploit this vulnerability by supplying crafted HTTP headers containing CR/LF sequences. Successful exploitation allows adding arbitrary extra headers, unexpectedly modifying the request body, and potentially triggering server-side request forgery (SSRF) attacks. The SSRF risk escalates when cpp-httplib is used with servers supporting HTTP/1.1 pipelining, such as Spring Boot or Python Twisted, as attackers can forge requests to internal or unauthorized endpoints.

The cpp-httplib project addresses this in version 0.30.0, which includes a fix via commit 98048a033a532ff22320ce1d11789f8d5710dfcd. Security practitioners should upgrade to v0.30.0 or later. Additional details are available in the GitHub security advisory (GHSA-wpc6-j37r-jcx7) and release notes.

Details

CWE(s)
CWE-93

Affected Products

yhirose
cpp-httplib
≤ 0.30.0

CVEs Like This One

CVE-2026-33745Same product: Yhirose Cpp-Httplib
CVE-2025-53628Same product: Yhirose Cpp-Httplib
CVE-2026-22776Same product: Yhirose Cpp-Httplib
CVE-2026-32627Same product: Yhirose Cpp-Httplib
CVE-2026-28435Same product: Yhirose Cpp-Httplib
CVE-2026-31870Same product: Yhirose Cpp-Httplib
CVE-2026-41230Shared CWE-93
CVE-2026-39394Shared CWE-93
CVE-2025-28357Shared CWE-93
CVE-2026-5140Shared CWE-93

References