{"id":"CVE-2026-48598","summary":"CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection","details":"Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values.\n\nTesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}=\"#{v}\" with no validation of CR (\\r), LF (\\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A \" in the value closes the quoted parameter early; a \\r\\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \\r\\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue.\n\nThis issue affects tesla: from 0.8.0 before 1.18.3.","aliases":["EEF-CVE-2026-48598","GHSA-28jh-g32x-v9v4"],"modified":"2026-06-18T03:57:33.348946202Z","published":"2026-06-02T19:08:19.921Z","database_specific":{"cna_assigner":"EEF","cwe_ids":["CWE-116"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48598.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"6ebfdb9abe9c6f119408045b933d82462decd351"},{"fixed":"bb1a2c3da2775924d96e3db8e315dcc4d5d2246e"}]}]},"references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-48598.html"},{"type":"WEB","url":"https://github.com"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-48598"},{"type":"WEB","url":"https://repo.hex.pm"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48598.json"},{"type":"ADVISORY","url":"https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48598"},{"type":"FIX","url":"https://github.com/elixir-tesla/tesla/commit/bb1a2c3da2775924d96e3db8e315dcc4d5d2246e"},{"type":"PACKAGE","url":"https://github.com/elixir-tesla/tesla"},{"type":"PACKAGE","url":"https://github.com/elixir-tesla/tesla.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elixir-tesla/tesla","events":[{"introduced":"fed422b5ec981cc6237b6a2c1be52e4564461bad"},{"fixed":"2eb7a78948f9c3b18509bf28bdc729e07f46e0dc"},{"fixed":"bb1a2c3da2775924d96e3db8e315dcc4d5d2246e"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0.8.0"},{"fixed":"1.18.3"}]}}],"versions":["v1.18.2","v1.18.1","v1.18.0","v1.17.0","v1.16.0","v1.15.3","v1.15.2","v1.15.1","v1.15.0","v1.14.3","v1.14.2","v1.14.1","v1.14.0","v1.13.2","v1.13.1","v1.13.0","v1.12.3","v1.12.2","v1.12.1","v1.12.0","v1.11.2","v1.11.1","v1.11.0","v1.10.3","v1.10.2","v1.10.1","v1.10.0","v1.9.0","v1.8.0","v1.7.0","v1.6.1","v1.6.0","v1.5.1","v1.5.0","v1.4.4","v1.4.3","v1.4.2","v1.4.1","v1.4.0","v1.3.3","v1.3.2","v.1.3.2","v1.3.1","v1.3.0","v1.2.1","v1.2.0","v1.1.0","v1.0.0-beta.1","v0.10.0","v0.9.0","v0.8.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-48598.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"}]}