CVE-2026-44546EPSS p6.8%

CVE-2026-44546CVE-2026-44546

djangoproject / daphne

Description

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.

Scoring

CVSS 3.7 ()
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS0.17% probability of exploitation · percentile 6.8% · 2026-06-19T12:03:05Z
Last modified2026-06-15

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44545
CVE
CVE-2026-34520
CVE
CVE-2025-22871
CVE
CVE-2026-43966
CVE
CVE-2026-48596
CVE
CVE-2026-42507
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.