CVE-2026-22779 Vulnerability Analysis & Exploit Details

CVE-2026-22779 Vulnerability Summary

CVE-2026-22779: BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6.

CVE-2026-22779 References

External References

• https://github.com/Neoteroi/BlackSheep/commit/bd4ecb9542b5d52442276b5a6907931b90f38d12
• https://github.com/Neoteroi/BlackSheep/releases/tag/v2.4.6
• https://github.com/Neoteroi/BlackSheep/security/advisories/GHSA-6pw3-h7xf-x4gp

CWE Common Weakness Enumeration

NVD-CWE-Other

Vulnerable Configurations

• cpe:2.3:a:neoteroi:blacksheep:0.2.7:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:0.2.7:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:0.2.8:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:0.2.8:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:0.2.9:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:0.2.9:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:0.3.0:-:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:0.3.0:-:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:0.3.0:beta:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:0.3.0:beta:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:0.3.1:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:0.3.1:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:0.3.2:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:0.3.2:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.0.0:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.0.0:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.0.1:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.0.1:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.0.2:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.0.2:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.0.3:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.0.3:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.0.4:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.0.4:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.0.5:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.0.5:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.0.6:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.0.6:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.0.7:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.0.7:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.0.8:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.0.8:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.0.9:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.0.9:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.1.0:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.1.0:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.0:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.0:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.1:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.1:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.2:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.2:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.3:-:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.3:-:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.3:beta:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.3:beta:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.4:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.4:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.5:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.5:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.6:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.6:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.7:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.7:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.8:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.8:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.9:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.9:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.10:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.10:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.11:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.11:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.12:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.12:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.13:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.13:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.14:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.14:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.15:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.15:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.16:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.16:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.17:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.17:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.18:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.18:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.19:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.19:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:1.2.20:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:1.2.20:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:-:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:-:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha0:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha0:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha1:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha1:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha10:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha10:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha11:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha11:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha12:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha12:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha2:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha2:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha3:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha3:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha4:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha4:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha5:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha5:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha6:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha6:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha7:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha7:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha8:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha8:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha9:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.0:alpha9:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.1:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.1:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.2:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.2:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.3:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.3:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.4:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.4:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.5:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.5:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.6:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.6:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.7:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.7:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.0.8:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.0.8:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.1.0:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.1.0:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.2.0:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.2.0:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.3.0:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.3.0:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.3.1:-:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.3.1:-:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.3.1:alpha1:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.3.1:alpha1:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.3.2:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.3.2:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.4.0:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.4.0:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.4.1:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.4.1:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.4.2:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.4.2:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.4.3:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.4.3:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.4.4:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.4.4:*:*:*:*:python:*:*
• cpe:2.3:a:neoteroi:blacksheep:2.4.5:*:*:*:*:python:*:*
  cpe:2.3:a:neoteroi:blacksheep:2.4.5:*:*:*:*:python:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2026-2567 – A vulnerability was detected in Wavlink WL-NU516U1 20251208. This vulnerability affects the function sub_401218 of the file /cgi-bin/nas.cgi. Perfo...
• CVE-2026-2566 – A security vulnerability has been detected in Wavlink WL-NU516U1 up to 130/260. This affects the function sub_406194 of the file /cgi-bin/adm.cgi. ...
• CVE-2019-25395 – Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the preferences.cgi script that al...
• CVE-2019-25394 – Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the modem.cgi script that allow at...
• CVE-2019-25393 – Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to in...