CVE-2026-43966: HTTP Response Splitting Azure Flaw
🟠 High | Source: Microsoft Security Response Center CVE-2026-43966 is an HTTP Response Splitting vulnerability in the cow_http_struct_hd:escape_string/2 function, caused by insufficient filtering of non-printable, non-VCHAR bytes in HTTP headers. An attacker able to influence header values could inject crafted responses, potentially leading to cache poisoning, cross-site scripting, or session hijacking. This affects Azure-hosted workloads or services relying on the vulnerable HTTP parsing component. Security Architect’s Take: Review any Azure services or containerised workloads that use the affected HTTP library and apply the vendor patch promptly. In the interim, enforce strict input validation and header sanitisation at your API gateway or WAF layer to block non-VCHAR characters in HTTP header values. ...