THREAT OPS › Threat News › [GHSA] GHSA-rqq5-2gf9-4w4q (medium) — Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
[GHSA] GHSA-rqq5-2gf9-4w4q (medium) — Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
GHSA-rqq5-2gf9-4w4q Severity: medium CVE: CVE-2026-54163
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
## Summary
`secure_headers` builds the `Content-Security-Policy` value by stitching every configured directive together with `; ` separators. Three directive builders (`build_sandbox_list_directive`, `build_media_type_list_directive
Attributed threat actors
- Earth LuscaG1006
Indicators of compromise
- f224144c99002bcd3c06ed86c169429d4be1e5dcsha1
- CVE-2026-54163cve
- CVE-2020-5217cve
- https://rubygems.orgurl
- https://attacker.example/leakurl
- http://127.0.0.1:14567/url
Original source: https://github.com/advisories/GHSA-rqq5-2gf9-4w4q