Cyber Resilience

CVE-2026-45372

CriticalPublic PoCUpdated

Published: 29 May 2026

Published
29 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
EPSS Score 0.0029 21.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-45372 is a critical-severity CRLF Injection (CWE-93) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so…

more

encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CRLF injection in HTTP header parsing of a public-facing server library directly enables exploitation of the application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

yhirose
cpp-httplib
≤ 0.44.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References