CVE•Published 2026-05-25•Modified 2026-05-28•0 articles on news•6 live references•NVD data

CVE-2026-47075Benoitc · Hackney

Vulnerability data via NVD (ingested)

CVSS v3.1

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS percentile

—

Weaknesses (CWE)

CWE-93Improper Neutralization of CRLF Sequences ('CRLF Injection')

Description

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request. This issue affects hackney: from 0 before 4.0.1.

Timeline

Published 2026-05-25

Modified 2026-05-28

External references

NVD MITRE Exploit-DB Sploitus trickest/cve VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-47075

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Benoitc Hackney"

All exposed Benoitc Hackney instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Hackney"

HTTP body or banner mentions "Hackney" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-47075