Home > Vulnerability Database > CVE-2026-22779

Mend.io Vulnerability Database

CVE-2026-22779

Good to know:

Date: January 14, 2026

BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6.

Severity Score

7.2

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22779

Url: https://github.com/Neoteroi/BlackSheep/commit/bd4ecb9542b5d52442276b5a6907931b90f38d12

Url: https://github.com/Neoteroi/BlackSheep

Url: https://github.com/Neoteroi/BlackSheep/security/advisories/GHSA-6pw3-h7xf-x4gp

Url: https://github.com/Neoteroi/BlackSheep/releases/tag/v2.4.6

Url: https://www.mend.io/vulnerability-database/CVE-2026-22779

Severity Score

7.2

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-113

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-93

Top Fix

Upgrade Version

Upgrade to version blacksheep - 2.4.6;https://github.com/Neoteroi/BlackSheep.git - v2.4.6

Learn More

CVSS v3.1

Base Score:	7.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22779

Good to know:

Date: January 14, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?