CWE-644 57 件の CVE MITRE の定義 ↗

CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax

概要

CWE-644(Improper Neutralization of HTTP Headers for Scripting Syntax)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。

セキュリティへの影響
セキュリティ影響:製品や文脈に依存します。CVE 記録、深刻度、MITRE の説明を参照して優先度を判断してください。

説明

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

適用プラットフォーム

種別 名称 クラス 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Web Based Undetermined
technology Web Server Undetermined

このデータベースの関連 CVE

これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。

CVE 公開 概要
CVE-2026-54477 2026-07-02 The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks.
CVE-2026-55791 2026-07-01 Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitr…
CVE-2024-51454 2026-06-22 IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by impr…
CVE-2026-10836 2026-06-17 Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of mani…
CVE-2026-4096 2026-06-11 IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against …
CVE-2026-48126 2026-05-26 Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request …
CVE-2026-33805 2026-04-15 @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This all…
CVE-2025-66485 2026-04-01 IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks agai…
CVE-2026-33149 2026-03-26 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accep…
CVE-2025-14807 2026-03-25 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct …
CVE-2025-13213 2026-03-10 IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks …
CVE-2025-36227 2026-03-10 IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks …
CVE-2025-70948 2026-03-05 A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.
CVE-2026-1698 2026-02-26 A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that m…
CVE-2026-26747 2026-02-20 A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where …
CVE-2025-27901 2026-02-17 IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 IBM Db2 Recovery Expert for Linux, UNIX and Windows is vulnerable to HTTP header injection, caused by improper validation of input by the HOST heade…
CVE-2026-26234 2026-02-11 JUNG Smart Visu Server 1.1.1050 contains a request header manipulation vulnerability that allows unauthenticated attackers to override request URLs by injecting arbitrary values in the X-Forwarded-Hos…
CVE-2024-51451 2026-02-04 IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the…
CVE-2025-52660 2026-01-19 HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.
CVE-2025-64425 2026-01-05 Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset f…

旧名称

  • Insufficient Filtering of HTTP Headers for Scripting Syntax (2008-10-14)
  • Insufficient Sanitization of HTTP Headers for Scripting Syntax (2009-05-27)
  • Improper Sanitization of HTTP Headers for Scripting Syntax (2010-04-05)

コンテンツ投稿

名称
Evgeny Lebanidze
組織
Cigital
日付
2008-01-30
バージョン
Draft 8

コンテンツの変更履歴

日付 名称 バージョン 重要度 コメント
2008-07-01 Sean Eidemiller 1.0 added/updated demonstrative examples
2008-09-08 CWE Content Team 1.0 updated Common_Consequences, Relationships, Observed_Example
2008-10-14 CWE Content Team 1.0.1 updated Description, Name, Observed_Examples, Relationships
2009-03-10 CWE Content Team 1.3 updated Relationships
2009-05-27 CWE Content Team 1.4 updated Description, Name
2009-10-29 CWE Content Team 1.6 updated Common_Consequences
2010-04-05 CWE Content Team 1.8.1 updated Description, Name
2010-06-21 CWE Content Team 1.9 updated Demonstrative_Examples, Description, Observed_Examples
2010-12-13 CWE Content Team 1.11 updated Common_Consequences
2011-03-29 CWE Content Team 1.12 updated Description
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Enabling_Factors_for_Exploitation
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
cvelogic Threat Intelligence