HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.
This issue affects Apache HTTP Server: from through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.
" } ], "value": "HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.\n\nThis issue affects Apache HTTP Server: from through 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue." } ], "metrics": [ { "other": { "content": { "text": "low" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-443", "description": "CWE-443: HTTP response splitting", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" }, "source": { "discovery": "UNKNOWN" }, "timeline": [ { "lang": "en", "time": "2026-03-05T12:00:00.000Z", "value": "reported" }, { "lang": "eng", "time": "2026-05-04", "value": "2.4.67 released" }, { "lang": "en", "time": "2026-05-04T12:00:00.000Z", "value": "fixed in 2.4.x by r1933360" } ], "title": "multiple modules: HTTP response splitting forwarding malicious status line", "x_generator": { "engine": "Vulnogram 0.2.0" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://httpd.apache.org/security/vulnerabilities_24.html" } ] } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "cveId": "CVE-2026-33523", "serial": 1, "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "CNA_private": { "emailed": null, "projecturl": null, "owner": "httpd", "state": "RESERVED", "todo": [], "type": "unsure" } }