CVE•Published 2026-05-25•Modified 2026-05-27•0 articles on news•6 live references•NVD data

CVE-2026-47069Benoitc · Hackney

Vulnerability data via NVD (ingested)

CVSS v3.1

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS percentile

—

Weaknesses (CWE)

CWE-93Improper Neutralization of CRLF Sequences ('CRLF Injection')

Description

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option — for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path — can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response. This issue affects hackney: from 0.9.0 before 4.0.1.

Timeline

Published 2026-05-25

Modified 2026-05-27

External references

NVD MITRE Exploit-DB Sploitus trickest/cve VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-47069

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Benoitc Hackney"

All exposed Benoitc Hackney instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Hackney"

HTTP body or banner mentions "Hackney" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-47069