CVE-2026-26962
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.
Vendor
-
Product
-
CWE
Yayın Tarihi
2026-04-02 18:16:26
Güncelleme
2026-04-03 16:10:23
Source Identifier
security-advisories@github.com
KEV Date Added
-