Vulnerability Details CVE-2026-21428
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines.
This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.8%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-21428
-
cpe:2.3:a:yhirose:cpp-httplib:-
-
cpe:2.3:a:yhirose:cpp-httplib:0.10.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.10.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.10.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.10.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.10.4
-
cpe:2.3:a:yhirose:cpp-httplib:0.10.5
-
cpe:2.3:a:yhirose:cpp-httplib:0.10.6
-
cpe:2.3:a:yhirose:cpp-httplib:0.10.7
-
cpe:2.3:a:yhirose:cpp-httplib:0.10.8
-
cpe:2.3:a:yhirose:cpp-httplib:0.10.9
-
cpe:2.3:a:yhirose:cpp-httplib:0.11.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.11.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.11.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.11.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.11.4
-
cpe:2.3:a:yhirose:cpp-httplib:0.12.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.12.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.12.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.12.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.12.4
-
cpe:2.3:a:yhirose:cpp-httplib:0.12.5
-
cpe:2.3:a:yhirose:cpp-httplib:0.12.6
-
cpe:2.3:a:yhirose:cpp-httplib:0.13.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.13.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.13.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.13.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.14.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.14.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.14.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.14.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.15.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.15.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.15.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.15.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.16.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.16.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.16.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.16.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.17.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.17.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.17.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.17.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.18.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.18.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.18.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.18.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.18.4
-
cpe:2.3:a:yhirose:cpp-httplib:0.18.5
-
cpe:2.3:a:yhirose:cpp-httplib:0.18.6
-
cpe:2.3:a:yhirose:cpp-httplib:0.18.7
-
cpe:2.3:a:yhirose:cpp-httplib:0.19.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.2.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.2.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.2.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.2.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.2.4
-
cpe:2.3:a:yhirose:cpp-httplib:0.2.5
-
cpe:2.3:a:yhirose:cpp-httplib:0.2.6
-
cpe:2.3:a:yhirose:cpp-httplib:0.20.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.20.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.21.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.22.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.23.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.23.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.24.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.3.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.3.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.3.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.3.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.4.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.4.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.4.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.10
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.11
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.12
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.13
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.4
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.5
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.6
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.7
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.8
-
cpe:2.3:a:yhirose:cpp-httplib:0.5.9
-
cpe:2.3:a:yhirose:cpp-httplib:0.6.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.6.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.6.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.6.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.6.4
-
cpe:2.3:a:yhirose:cpp-httplib:0.6.5
-
cpe:2.3:a:yhirose:cpp-httplib:0.6.6
-
cpe:2.3:a:yhirose:cpp-httplib:0.6.7
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.10
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.11
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.12
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.13
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.14
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.15
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.16
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.17
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.18
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.4
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.5
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.6
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.7
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.8
-
cpe:2.3:a:yhirose:cpp-httplib:0.7.9
-
cpe:2.3:a:yhirose:cpp-httplib:0.8.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.8.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.8.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.8.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.8.4
-
cpe:2.3:a:yhirose:cpp-httplib:0.8.5
-
cpe:2.3:a:yhirose:cpp-httplib:0.8.6
-
cpe:2.3:a:yhirose:cpp-httplib:0.8.7
-
cpe:2.3:a:yhirose:cpp-httplib:0.8.8
-
cpe:2.3:a:yhirose:cpp-httplib:0.8.9
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.0
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.1
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.10
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.2
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.3
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.4
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.5
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.6
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.7
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.8
-
cpe:2.3:a:yhirose:cpp-httplib:0.9.9