THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-rqq5-2gf9-4w4q (medium) — Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input

[GHSA] GHSA-rqq5-2gf9-4w4q (medium) — Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input

highgithub_advisoriesPublished 2026-07-10

GHSA-rqq5-2gf9-4w4q Severity: medium CVE: CVE-2026-54163

Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input

## Summary

`secure_headers` builds the `Content-Security-Policy` value by stitching every configured directive together with `; ` separators. Three directive builders (`build_sandbox_list_directive`, `build_media_type_list_directive

Attributed threat actors

Indicators of compromise

Original source: https://github.com/advisories/GHSA-rqq5-2gf9-4w4q