CWE-644 57 個 CVE MITRE 定義 ↗

CWE-644:Improper Neutralization of HTTP Headers for Scripting Syntax

概覽

CWE-644(Improper Neutralization of HTTP Headers for Scripting Syntax)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Web Based Undetermined
technology Web Server Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-54477 2026-07-02 The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks.
CVE-2026-55791 2026-07-01 Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitr…
CVE-2024-51454 2026-06-22 IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by impr…
CVE-2026-10836 2026-06-17 Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of mani…
CVE-2026-4096 2026-06-11 IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against …
CVE-2026-48126 2026-05-26 Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request …
CVE-2026-33805 2026-04-15 @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This all…
CVE-2025-66485 2026-04-01 IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks agai…
CVE-2026-33149 2026-03-26 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accep…
CVE-2025-14807 2026-03-25 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct …
CVE-2025-13213 2026-03-10 IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks …
CVE-2025-36227 2026-03-10 IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks …
CVE-2025-70948 2026-03-05 A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.
CVE-2026-1698 2026-02-26 A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that m…
CVE-2026-26747 2026-02-20 A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where …
CVE-2025-27901 2026-02-17 IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 IBM Db2 Recovery Expert for Linux, UNIX and Windows is vulnerable to HTTP header injection, caused by improper validation of input by the HOST heade…
CVE-2026-26234 2026-02-11 JUNG Smart Visu Server 1.1.1050 contains a request header manipulation vulnerability that allows unauthenticated attackers to override request URLs by injecting arbitrary values in the X-Forwarded-Hos…
CVE-2024-51451 2026-02-04 IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the…
CVE-2025-52660 2026-01-19 HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.
CVE-2025-64425 2026-01-05 Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset f…

曾用名

  • Insufficient Filtering of HTTP Headers for Scripting Syntax (2008-10-14)
  • Insufficient Sanitization of HTTP Headers for Scripting Syntax (2009-05-27)
  • Improper Sanitization of HTTP Headers for Scripting Syntax (2010-04-05)

內容提交

名稱
Evgeny Lebanidze
組織
Cigital
日期
2008-01-30
版本
Draft 8

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Sean Eidemiller 1.0 added/updated demonstrative examples
2008-09-08 CWE Content Team 1.0 updated Common_Consequences, Relationships, Observed_Example
2008-10-14 CWE Content Team 1.0.1 updated Description, Name, Observed_Examples, Relationships
2009-03-10 CWE Content Team 1.3 updated Relationships
2009-05-27 CWE Content Team 1.4 updated Description, Name
2009-10-29 CWE Content Team 1.6 updated Common_Consequences
2010-04-05 CWE Content Team 1.8.1 updated Description, Name
2010-06-21 CWE Content Team 1.9 updated Demonstrative_Examples, Description, Observed_Examples
2010-12-13 CWE Content Team 1.11 updated Common_Consequences
2011-03-29 CWE Content Team 1.12 updated Description
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Enabling_Factors_for_Exploitation
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
cvelogic Threat Intelligence