CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
CVE-2026-47676 (GCVE-0-2026-47676)
Vulnerability from cvelistv5 – Published: 2026-05-28 15:26 – Updated: 2026-05-28 19:13
VLAI
Title
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Summary
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/honojs/hono/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:12:23.714948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:13:28.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hono",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.12.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:26:01.672Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/hono/security/advisories/GHSA-2gcr-mfcq-wcc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/hono/security/advisories/GHSA-2gcr-mfcq-wcc3"
}
],
"source": {
"advisory": "GHSA-2gcr-mfcq-wcc3",
"discovery": "UNKNOWN"
},
"title": "Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47676",
"datePublished": "2026-05-28T15:26:01.672Z",
"dateReserved": "2026-05-19T21:10:38.798Z",
"dateUpdated": "2026-05-28T19:13:28.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48710 (GCVE-0-2026-48710)
Vulnerability from cvelistv5 – Published: 2026-05-26 21:54 – Updated: 2026-05-27 14:26
VLAI
Title
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Summary
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/Kludex/starlette/security/advi… | x_refsource_CONFIRM |
| https://github.com/Kludex/starlette/commit/764dab… | x_refsource_MISC |
| https://badhost.org | x_refsource_MISC |
| https://github.com/pypa/advisory-database/tree/ma… | x_refsource_MISC |
| https://ostif.org/disclosing-the-badhost-vulnerab… | x_refsource_MISC |
| https://www.secwest.net/starlette | x_refsource_MISC |
| https://www.x41-dsec.de/lab/advisories/x41-2026-0… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T14:22:19.241769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:26:57.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "starlette",
"vendor": "Kludex",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 \u00a73.2 / RFC 3986 \u00a73.2.2 when constructing `request.url` and falls back to `scope[\"server\"]` for malformed values."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T21:54:54.393Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr"
},
{
"name": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6"
},
{
"name": "https://badhost.org",
"tags": [
"x_refsource_MISC"
],
"url": "https://badhost.org"
},
{
"name": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml"
},
{
"name": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette",
"tags": [
"x_refsource_MISC"
],
"url": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette"
},
{
"name": "https://www.secwest.net/starlette",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.secwest.net/starlette"
},
{
"name": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette"
}
],
"source": {
"advisory": "GHSA-86qp-5c8j-p5mr",
"discovery": "UNKNOWN"
},
"title": "Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48710",
"datePublished": "2026-05-26T21:54:54.393Z",
"dateReserved": "2026-05-22T18:47:27.755Z",
"dateUpdated": "2026-05-27T14:26:57.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49753 (GCVE-0-2026-49753)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:15 – Updated: 2026-06-02 19:14
VLAI
Title
HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing
Summary
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections.
Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length >= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted.
A fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer's response stream.
This issue affects mint: from 0.1.0 before 1.9.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-mint/mint/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49753.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49753 | related |
| https://github.com/elixir-mint/mint/commit/47e480… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-mint | mint |
Affected:
0.1.0 , < 1.9.0
(semver)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
|
| elixir-mint | mint |
Affected:
65e0e86d799a6d3b08e4372fccdd9747535e0dd6 , < 47e48027480228e4e32a0b4df39db497b4804921
(git)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49753",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:06:41.525477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:06:51.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-mjqx-c6f6-7rc2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP1.Parse\u0027"
],
"packageName": "mint",
"packageURL": "pkg:hex/mint",
"product": "mint",
"programFiles": [
"lib/mint/http1/parse.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP1.Parse\u0027:content_length_header/1"
}
],
"repo": "https://github.com/elixir-mint/mint",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP1.Parse\u0027"
],
"packageName": "elixir-mint/mint",
"packageURL": "pkg:github/elixir-mint/mint",
"product": "mint",
"programFiles": [
"lib/mint/http1/parse.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP1.Parse\u0027:content_length_header/1"
}
],
"repo": "https://github.com/elixir-mint/mint.git",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "47e48027480228e4e32a0b4df39db497b4804921",
"status": "affected",
"version": "65e0e86d799a6d3b08e4372fccdd9747535e0dd6",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.9.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Eric Meadows-J\u00f6nsson"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections.\u003cp\u003eMint\u0027s HTTP/1 \u003ctt\u003eContent-Length\u003c/tt\u003e parser, \u003ctt\u003e\u0027Elixir.Mint.HTTP1.Parse\u0027:content_length_header/1\u003c/tt\u003e in \u003ctt\u003elib/mint/http1/parse.ex\u003c/tt\u003e, parses the header value with \u003ctt\u003eInteger.parse/1\u003c/tt\u003e, which accepts an optional \u003ctt\u003e+\u003c/tt\u003e or \u003ctt\u003e-\u003c/tt\u003e sign prefix. The \u003ctt\u003elength \u0026gt;= 0\u003c/tt\u003e guard rejects negatives, but inputs such as \u003ctt\u003e+0\u003c/tt\u003e or \u003ctt\u003e+123\u003c/tt\u003e are returned as valid lengths. RFC 7230 specifies \u003ctt\u003eContent-Length = 1*DIGIT\u003c/tt\u003e, with no sign character permitted.\u003c/p\u003e\u003cp\u003eA fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like \u003ctt\u003eContent-Length: +0\u003c/tt\u003e, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer\u0027s response stream.\u003c/p\u003e\u003cp\u003eThis issue affects mint: from 0.1.0 before 1.9.0.\u003c/p\u003e"
}
],
"value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections.\n\nMint\u0027s HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length \u003e= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted.\n\nA fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer\u0027s response stream.\n\nThis issue affects mint: from 0.1.0 before 1.9.0."
}
],
"impacts": [
{
"capecId": "CAPEC-273",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-273 HTTP Response Smuggling"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:42.817Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-mjqx-c6f6-7rc2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49753.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49753"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-mint/mint/commit/47e48027480228e4e32a0b4df39db497b4804921"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49753",
"datePublished": "2026-06-02T14:15:17.078Z",
"dateReserved": "2026-06-01T13:45:22.448Z",
"dateUpdated": "2026-06-02T19:14:42.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50052 (GCVE-0-2026-50052)
Vulnerability from cvelistv5 – Published: 2026-06-03 03:56 – Updated: 2026-06-03 13:27
VLAI
Summary
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync
attack (request smuggling), which in turn can be used for cache poisoning,
authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the
feature parameter to contain +http2. HTTP/2 support is disabled by
default.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| The Vinyl Cache Project | Vinyl Cache |
Affected:
9.0.0
Unaffected: 9.0.1 |
|
| The Vinyl Cache Project | Varnish Cache (pre split) |
Affected:
7.6.0 , ≤ 8.0.1
(semver)
Unaffected: 8.0.2 Affected: 6.0.14 , ≤ 6.0.17 (semver) Unaffected: 6.0.18 |
|
| Varnish Software | Varnish Cache by Varnish Software |
Affected:
9.0.0 , ≤ 9.0.2
(semver)
Unaffected: 9.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50052",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:27:03.836713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T13:27:33.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vinyl Cache",
"programFiles": [
"bin/vinyld/http2/cache_http2_hpack.c"
],
"repo": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache",
"vendor": "The Vinyl Cache Project",
"versions": [
{
"status": "affected",
"version": "9.0.0"
},
{
"status": "unaffected",
"version": "9.0.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Varnish Cache (pre split)",
"programFiles": [
"bin/varnishd/http2/cache_http2_hpack.c"
],
"repo": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache",
"vendor": "The Vinyl Cache Project",
"versions": [
{
"lessThanOrEqual": "8.0.1",
"status": "affected",
"version": "7.6.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.0.2"
},
{
"lessThanOrEqual": "6.0.17",
"status": "affected",
"version": "6.0.14",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "6.0.18"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Varnish Cache by Varnish Software",
"programFiles": [
"bin/vinyld/http2/cache_http2_hpack.c"
],
"repo": "https://github.com/varnish/varnish",
"vendor": "Varnish Software",
"versions": [
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.0.3"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003ehttp2 enabled\u003c/div\u003e\u003cdiv\u003eexploitable URLs present (require request body)\u003c/div\u003e"
}
],
"value": "http2 enabled\n\nexploitable URLs present (require request body)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync\nattack (request smuggling), which in turn can be used for cache poisoning,\nauthentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the\nfeature parameter to contain +http2. HTTP/2 support is disabled by\ndefault."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T03:59:35.155Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://vinyl-cache.org/security/VSV00019.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eUpdate to fix version\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Update to fix version"
}
],
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eDisable HTTP/2\u003c/h3\u003e\u003cp\u003eThe vulnerability can only be exploited if HTTP/2 support is enabled. Where it\nis, it can be disabled\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evinyladm param.set feature -http2\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by removing \u003ccode\u003e-p feature=+http2\u003c/code\u003e from the \u003ccode\u003evinyld\u003c/code\u003e startup\nparameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNote that HTTP/2 typically requires a TLS offloader, which must be changed to no\nlonger send the \u003ccode\u003eh2\u003c/code\u003e ALPN. For example with \u003ccode\u003ehaproxy\u003c/code\u003e, in the\n\u003ccode\u003elisten\u003c/code\u003e/\u003ccode\u003ebind\u003c/code\u003e configuration directive, \u003ccode\u003ealpn h2,http/1.1\u003c/code\u003e should be\nreplaced with \u003ccode\u003ealpn http/1.1\u003c/code\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Disable HTTP/2The vulnerability can only be exploited if HTTP/2 support is enabled. Where it\nis, it can be disabled\n\n\n\n * at runtime by issuing vinyladm param.set feature -http2\n\n\n\n * persistently by removing -p feature=+http2 from the vinyld startup\nparameters\n\n\n\n\n\n\nNote that HTTP/2 typically requires a TLS offloader, which must be changed to no\nlonger send the h2 ALPN. For example with haproxy, in the\nlisten/bind configuration directive, alpn h2,http/1.1 should be\nreplaced with alpn http/1.1."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eIn VCL, add a vmod re2 header filter\u003c/h3\u003e\u003cp\u003eThis method requires \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e header filters (see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://vinyl-cache.org/tutorials/hdr_filter.html\"\u003etutorial\u003c/a\u003e for more information) can be\nused to remove injected invalid header lines, which are the vehicle required for\nlaunching desync attacks exploiting this vulnerability.\u003c/p\u003e\n\u003cp\u003eTo the best of our knowledge, the following VCL snippet at the top of the custom\nVCL adds protection by removing invalid headers:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nimport re2;\nsub vcl_init {\n new sane = re2.set(anchor=start, case_sensitive=false);\n # https://httpwg.org/specs/rfc9110.html#rule.token.separators\n # SLIGHTLY more relaxed, because it allows trailing SP / HTAB\n sane.add(\"[-!#$%\u0026amp;\u0027*+.^_`|~a-z0-9]+:[\\s\\x21-\\x7E\\x80-\\xff]+$\");\n}\nsub vcl_recv {\n sane.hdr_filter(req, true);\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eTo the best of our knowledge, where \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e is already used with a\n\u003ccode\u003ehdr_filter\u003c/code\u003e in allow mode (second argument \u003ccode\u003etrue\u003c/code\u003e), protection is already\nsufficient unless the empty string is allowed.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In VCL, add a vmod re2 header filterThis method requires vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 .\n\n\n vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 header filters (see the tutorial https://vinyl-cache.org/tutorials/hdr_filter.html for more information) can be\nused to remove injected invalid header lines, which are the vehicle required for\nlaunching desync attacks exploiting this vulnerability.\n\n\nTo the best of our knowledge, the following VCL snippet at the top of the custom\nVCL adds protection by removing invalid headers:\n\n\n## BEGIN vsv19 mitigation\n#\nimport re2;\nsub vcl_init {\n new sane = re2.set(anchor=start, case_sensitive=false);\n # https://httpwg.org/specs/rfc9110.html#rule.token.separators\n # SLIGHTLY more relaxed, because it allows trailing SP / HTAB\n sane.add(\"[-!#$%\u0026\u0027*+.^_`|~a-z0-9]+:[\\s\\x21-\\x7E\\x80-\\xff]+$\");\n}\nsub vcl_recv {\n sane.hdr_filter(req, true);\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nTo the best of our knowledge, where vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 is already used with a\nhdr_filter in allow mode (second argument true), protection is already\nsufficient unless the empty string is allowed."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch4\u003e\u0026gt;= 7.6.0 plain VCL mitigation\u003c/h4\u003e\u003cp\u003eFor versions 7.6.0 and higher, this method requires no additional VMODs, but\nneeds inline-C to be enabled.\u003c/p\u003e\n\u003cp\u003eFor Vinyl Cache:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evinyladm param.set vcc_feature +allow_inline_c\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by adding \u003ccode\u003e-p vcc_feature=+allow_inline_c\u003c/code\u003e to the \u003ccode\u003evinyld\u003c/code\u003e\nstartup parameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eFor Varnish Cache:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evarnishadm param.set vcc_feature +allow_inline_c\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by adding \u003ccode\u003e-p vcc_feature=+allow_inline_c\u003c/code\u003e to the \u003ccode\u003evarnishd\u003c/code\u003e\nstartup parameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBesides enabling inline-C, the following snippet needs to be added at the top of\nthe custom VCL:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n C{\n VRT_SetHdr(ctx, \u0026amp;VGC_HDR_REQ_content_2d_length, 0,\n TOSTRAND(VRT_GetHdr(ctx, \u0026amp;VGC_HDR_REQ_content_2d_length)));\n }C\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eIn addition, care must be taken that \u003ccode\u003ebereq.http.Connection\u003c/code\u003e is not unset\nanywhere else in the custom VCL.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "\u003e= 7.6.0 plain VCL mitigationFor versions 7.6.0 and higher, this method requires no additional VMODs, but\nneeds inline-C to be enabled.\n\n\nFor Vinyl Cache:\n\n\n\n * at runtime by issuing vinyladm param.set vcc_feature +allow_inline_c\n\n\n\n * persistently by adding -p vcc_feature=+allow_inline_c to the vinyld\nstartup parameters\n\n\n\n\n\n\nFor Varnish Cache:\n\n\n\n * at runtime by issuing varnishadm param.set vcc_feature +allow_inline_c\n\n\n\n * persistently by adding -p vcc_feature=+allow_inline_c to the varnishd\nstartup parameters\n\n\n\n\n\n\nBesides enabling inline-C, the following snippet needs to be added at the top of\nthe custom VCL:\n\n\n## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n C{\n VRT_SetHdr(ctx, \u0026VGC_HDR_REQ_content_2d_length, 0,\n TOSTRAND(VRT_GetHdr(ctx, \u0026VGC_HDR_REQ_content_2d_length)));\n }C\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nIn addition, care must be taken that bereq.http.Connection is not unset\nanywhere else in the custom VCL."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch4\u003e6.0 plain VCL mitigation\u003c/h4\u003e\u003cp\u003eFor version 6.0 LTS, this method works in pure VCL with no other changes\nrequired. The following snippet needs to be added at the top of the custom VCL:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n set req.http.content-length = req.http.content-length;\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eIn addition, care must be taken that \u003ccode\u003ebereq.http.Connection\u003c/code\u003e is not unset\nanywhere else in the custom VCL.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "6.0 plain VCL mitigationFor version 6.0 LTS, this method works in pure VCL with no other changes\nrequired. The following snippet needs to be added at the top of the custom VCL:\n\n\n## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n set req.http.content-length = req.http.content-length;\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nIn addition, care must be taken that bereq.http.Connection is not unset\nanywhere else in the custom VCL."
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-50052",
"datePublished": "2026-06-03T03:56:01.974Z",
"dateReserved": "2026-06-03T03:56:01.075Z",
"dateUpdated": "2026-06-03T13:27:33.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6324 (GCVE-0-2026-6324)
Vulnerability from cvelistv5 – Published: 2026-05-29 05:24 – Updated: 2026-05-29 14:01
VLAI
Title
Libsoup: libsoup: http request smuggling via unsigned to signed conversion error
Summary
A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access.
Severity
4.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-6324 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2458479 | issue-trackingx_refsource_REDHAT |
| https://gitlab.gnome.org/GNOME/libsoup/-/issues/508 | |
| https://gitlab.gnome.org/GNOME/libsoup/-/work_items/508 | exploit |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
Date Public
2026-01-27 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6324",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T14:00:40.782194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:01:04.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gitlab.gnome.org/GNOME/libsoup/-/work_items/508"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unknown",
"packageName": "libsoup3",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "libsoup",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "libsoup",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unknown",
"packageName": "libsoup",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unknown",
"packageName": "libsoup",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-01-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T05:24:07.364Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-6324"
},
{
"name": "RHBZ#2458479",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458479"
},
{
"url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/508"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-14T20:51:30.825Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-01-27T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Libsoup: libsoup: http request smuggling via unsigned to signed conversion error",
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-6324",
"datePublished": "2026-05-29T05:24:07.364Z",
"dateReserved": "2026-04-14T20:50:53.403Z",
"dateUpdated": "2026-05-29T14:01:04.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8620 (GCVE-0-2026-8620)
Vulnerability from cvelistv5 – Published: 2026-05-26 17:15 – Updated: 2026-05-27 13:12
VLAI
Title
IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins
Summary
IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7274072 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty |
Affected:
8.5, 9.0 , ≤ Interim Fix 002
(semver)
cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5:*:*:*:*:*:*:* cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8620",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:12:49.669182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:12:59.224Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:web_server_plug_ins_for_websphere_application_server_and_websphere_liberty:8.5.0:*:*:*:*:*:*:*"
],
"product": "Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "Interim Fix 002",
"status": "affected",
"version": "8.5, 9.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request.\u003c/p\u003e"
}
],
"value": "IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:15:00.501Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7274072"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by applying a currently available Web Server Plug-ins interim fix or fix pack that contains the fix for APAR PH71342.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWeb Server Plug-ins for IBM WebSphere Application Server\u003c/strong\u003e (used with either WebSphere Application Server traditional or Liberty):\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFor V9.0.0.0 through 9.0.5.27:\u003c/strong\u003e\u003cbr\u003e\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Web Server Plug-ins Interim Fix that resolves\u0026nbsp;\u003ca href=\"https://www.ibm.com/support/pages/node/7273976\" rel=\"nofollow\"\u003ePH71342\u003c/a\u003e\u003cbr\u003e--OR--\u003cbr\u003e\u00b7 Apply Web Server Plug-ins Fix Pack 9.0.5.28 or later (targeted availability 2Q2026).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFor V8.5.0.0 through 8.5.5.29:\u003c/strong\u003e\u003cbr\u003e\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Web Server Plug-ins Interim Fix that resolves\u0026nbsp;\u003ca href=\"https://www.ibm.com/support/pages/node/7273976\" rel=\"nofollow\"\u003ePH71342\u003c/a\u003e\u003cbr\u003e--OR--\u003cbr\u003e\u00b7 Apply Web Server Plug-ins Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAdditional interim fixes may be available and linked off the interim fix download page.\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by applying a currently available Web Server Plug-ins interim fix or fix pack that contains the fix for APAR PH71342.\u00a0\n\n\n\n\n\n\n\nWeb Server Plug-ins for IBM WebSphere Application Server (used with either WebSphere Application Server traditional or Liberty):\n\n\n\nFor V9.0.0.0 through 9.0.5.27:\n\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Web Server Plug-ins Interim Fix that resolves\u00a0 PH71342 https://www.ibm.com/support/pages/node/7273976 \n--OR--\n\u00b7 Apply Web Server Plug-ins Fix Pack 9.0.5.28 or later (targeted availability 2Q2026).\u00a0\u00a0\n\n\n\nFor V8.5.0.0 through 8.5.5.29:\n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Web Server Plug-ins Interim Fix that resolves\u00a0 PH71342 https://www.ibm.com/support/pages/node/7273976 \n--OR--\n\u00b7 Apply Web Server Plug-ins Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).\n\n\n\n\n\n\n\nAdditional interim fixes may be available and linked off the interim fix download page."
}
],
"title": "IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-8620",
"datePublished": "2026-05-26T17:15:00.501Z",
"dateReserved": "2026-05-14T18:19:54.491Z",
"dateUpdated": "2026-05-27T13:12:59.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9170 (GCVE-0-2026-9170)
Vulnerability from cvelistv5 – Published: 2026-05-26 17:31 – Updated: 2026-05-28 03:55
VLAI
Title
IBM HTTP Server is affected by multiple vulnerabilities
Summary
IBM HTTP Server 8.5, and 9.0
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7274065 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | HTTP Server |
Affected:
8.5
Affected: 9.0 cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:* cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9170",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T03:55:53.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*"
],
"product": "HTTP Server",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "8.5"
},
{
"status": "affected",
"version": "9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM HTTP Server 8.5, and 9.0\u003c/p\u003e"
}
],
"value": "IBM HTTP Server 8.5, and 9.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:35:26.251Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7274065"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFor IBM HTTP Server used by IBM WebSphere Application Server:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFor V9.0.0.0 through 9.0.5.28:\u003c/strong\u003e\u003cbr/\u003e\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves \u003ca href=\"https://www.ibm.com/support/pages/node/7239806\" rel=\"nofollow\"\u003ePH71265\u003c/a\u003e\u003cbr/\u003e--OR--\u003cbr/\u003e\u00b7 Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).\u00a0\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFor V8.5.0.0 through 8.5.5.29:\u003c/strong\u003e\u003cbr/\u003e\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves \u003ca href=\"https://www.ibm.com/support/pages/node/7239806\" rel=\"nofollow\"\u003ePH71265\u003c/a\u003e\u003cbr/\u003e--OR--\u003cbr/\u003e\u00b7 Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).\u003c/p\u003e\u003cp\u003e\u00a0Additional interim fixes may be available and linked off the interim fix download page.\u003c/p\u003e\u003cp\u003eImportant Note\u003c/p\u003e\u003cp\u003eIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.\n\n\n\nFor IBM HTTP Server used by IBM WebSphere Application Server:\n\n\n\nFor V9.0.0.0 through 9.0.5.28:\n\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265 https://www.ibm.com/support/pages/node/7239806 \n--OR--\n\u00b7 Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).\u00a0\n\n\n\nFor V8.5.0.0 through 8.5.5.29:\n\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265 https://www.ibm.com/support/pages/node/7239806 \n--OR--\n\u00b7 Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).\n\n\n\n\u00a0Additional interim fixes may be available and linked off the interim fix download page.\n\n\n\nImportant Note\n\n\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk."
}
],
"title": "IBM HTTP Server is affected by multiple vulnerabilities",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-9170",
"datePublished": "2026-05-26T17:31:55.400Z",
"dateReserved": "2026-05-21T14:32:03.337Z",
"dateUpdated": "2026-05-28T03:55:53.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
Mitigation
Phase: Implementation
Description:
- Use only SSL communication.
Mitigation
Phase: Implementation
Description:
- Terminate the client session after each request.
Mitigation
Phase: System Configuration
Description:
- Turn all pages to non-cacheable.
CAPEC-273: HTTP Response Smuggling
['An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).', 'See CanPrecede relationships for possible consequences.']
CAPEC-33: HTTP Request Smuggling
['An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).', 'See CanPrecede relationships for possible consequences.']