CWE-93 is the weakness class for software that fails to properly neutralize CRLF (carriage return and line feed) sequences. In text-based protocols such as email, HTTP, and some logging formats, CRLF marks the end of a header or line. If attacker-controlled input is allowed to contain these characters, the input may break out of its intended field and create new headers, recipients, or commands. That turns a simple validation mistake into a protocol-boundary flaw.
In real attacks, CWE-93 can lead to email header injection, mail relay abuse, log poisoning, or request manipulation, depending on where the newline reaches. Defenders reduce the risk by rejecting or encoding CR and LF in untrusted data before it is reused by downstream components, especially when user input feeds mail-sending code, templates, or gateways. The key control is to sanitize for the next protocol hop, not just for display.