CVE-2026-21428 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2026-21428 Interim 1 1 2026-03-05T00:18:42Z current 2026-03-05T00:18:42Z 2026-03-05T00:18:42Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2026-21428 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 cpp-httplib libcpp-httplib0_22 libcpp-httplib0_22 as a component of SUSE Linux Enterprise Server 16.0 cpp-httplib as a component of SUSE Linux Enterprise Server 16.0 libcpp-httplib0_22 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 cpp-httplib as a component of SUSE Linux Enterprise Server for SAP applications 16.0 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue. CVE-2026-21428 important 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N