cvedb.io
CVE-2016-9964
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2016-12-16T09:59:00.373 · Last modified 2026-06-17T00:56:51.143

Summary

redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.

Affected products

bottlepy — bottle

Does this affect you?

Add your gear to cvedb and we'll alert you only when bottlepy ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.