Email Header Injection
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://statuscodefyi.com/iframe/glossary/email-header-injection/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://statuscodefyi.com/glossary/email-header-injection/Add a dynamic SVG badge to your README or docs.
[](https://statuscodefyi.com/glossary/email-header-injection/)Use the native HTML custom element.
An attack that exploits improperly sanitized user input to inject additional email headers (BCC, CC, Subject, To) into messages generated by a web application, potentially sending spam or phishing emails via a legitimate server. Attackers insert CRLF sequences into form fields used to populate headers. Prevention requires stripping or rejecting newline characters in all header values.