OPENSUSE-SU-2026:10435-1 - Vulnerability-Lookup

OPENSUSE-SU-2026:10435-1

Vulnerability from csaf_opensuse - Published: 2026-03-26 00:00 - Updated: 2026-03-26 00:00

Summary

cpp-httplib-devel-0.38.0-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: cpp-httplib-devel-0.38.0-1.1 on GA media

Description of the patch: These are all security issues fixed in the cpp-httplib-devel-0.38.0-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10435

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2026-21428

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-22776

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-28434

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-28435

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-29076

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32627

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-21428/	self
	https://www.suse.com/security/cve/CVE-2026-22776/	self
	https://www.suse.com/security/cve/CVE-2026-28434/	self
	https://www.suse.com/security/cve/CVE-2026-28435/	self
	https://www.suse.com/security/cve/CVE-2026-29076/	self
	https://www.suse.com/security/cve/CVE-2026-32627/	self
	https://www.suse.com/security/cve/CVE-2026-21428	external
	https://bugzilla.suse.com/1255835	external
	https://www.suse.com/security/cve/CVE-2026-22776	external
	https://bugzilla.suse.com/1256518	external
	https://www.suse.com/security/cve/CVE-2026-28434	external
	https://bugzilla.suse.com/1259221	external
	https://www.suse.com/security/cve/CVE-2026-28435	external
	https://bugzilla.suse.com/1259220	external
	https://www.suse.com/security/cve/CVE-2026-29076	external
	https://bugzilla.suse.com/1259373	external
	https://www.suse.com/security/cve/CVE-2026-32627	external
	https://bugzilla.suse.com/1259723	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "cpp-httplib-devel-0.38.0-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the cpp-httplib-devel-0.38.0-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10435",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10435-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21428 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21428/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-22776 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-22776/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-28434 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-28434/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-28435 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-28435/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-29076 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-29076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32627 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32627/"
      }
    ],
    "title": "cpp-httplib-devel-0.38.0-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-03-26T00:00:00Z",
      "generator": {
        "date": "2026-03-26T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10435-1",
      "initial_release_date": "2026-03-26T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-03-26T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cpp-httplib-devel-0.38.0-1.1.aarch64",
                "product": {
                  "name": "cpp-httplib-devel-0.38.0-1.1.aarch64",
                  "product_id": "cpp-httplib-devel-0.38.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libcpp-httplib0_38-0.38.0-1.1.aarch64",
                "product": {
                  "name": "libcpp-httplib0_38-0.38.0-1.1.aarch64",
                  "product_id": "libcpp-httplib0_38-0.38.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cpp-httplib-devel-0.38.0-1.1.ppc64le",
                "product": {
                  "name": "cpp-httplib-devel-0.38.0-1.1.ppc64le",
                  "product_id": "cpp-httplib-devel-0.38.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libcpp-httplib0_38-0.38.0-1.1.ppc64le",
                "product": {
                  "name": "libcpp-httplib0_38-0.38.0-1.1.ppc64le",
                  "product_id": "libcpp-httplib0_38-0.38.0-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cpp-httplib-devel-0.38.0-1.1.s390x",
                "product": {
                  "name": "cpp-httplib-devel-0.38.0-1.1.s390x",
                  "product_id": "cpp-httplib-devel-0.38.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libcpp-httplib0_38-0.38.0-1.1.s390x",
                "product": {
                  "name": "libcpp-httplib0_38-0.38.0-1.1.s390x",
                  "product_id": "libcpp-httplib0_38-0.38.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cpp-httplib-devel-0.38.0-1.1.x86_64",
                "product": {
                  "name": "cpp-httplib-devel-0.38.0-1.1.x86_64",
                  "product_id": "cpp-httplib-devel-0.38.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libcpp-httplib0_38-0.38.0-1.1.x86_64",
                "product": {
                  "name": "libcpp-httplib0_38-0.38.0-1.1.x86_64",
                  "product_id": "libcpp-httplib0_38-0.38.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cpp-httplib-devel-0.38.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64"
        },
        "product_reference": "cpp-httplib-devel-0.38.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cpp-httplib-devel-0.38.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le"
        },
        "product_reference": "cpp-httplib-devel-0.38.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cpp-httplib-devel-0.38.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x"
        },
        "product_reference": "cpp-httplib-devel-0.38.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cpp-httplib-devel-0.38.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64"
        },
        "product_reference": "cpp-httplib-devel-0.38.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcpp-httplib0_38-0.38.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64"
        },
        "product_reference": "libcpp-httplib0_38-0.38.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcpp-httplib0_38-0.38.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le"
        },
        "product_reference": "libcpp-httplib0_38-0.38.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcpp-httplib0_38-0.38.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x"
        },
        "product_reference": "libcpp-httplib0_38-0.38.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcpp-httplib0_38-0.38.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
        },
        "product_reference": "libcpp-httplib0_38-0.38.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-21428",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21428"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR \u0026 LF characters in user supplied headers, allowing untrusted header value to escape header lines.\nThis vulnerability allows attackers to add extra headers, modify request body unexpectedly \u0026 trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21428",
          "url": "https://www.suse.com/security/cve/CVE-2026-21428"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255835 for CVE-2026-21428",
          "url": "https://bugzilla.suse.com/1255835"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-26T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-21428"
    },
    {
      "cve": "CVE-2026-22776",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-22776"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-22776",
          "url": "https://www.suse.com/security/cve/CVE-2026-22776"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256518 for CVE-2026-22776",
          "url": "https://bugzilla.suse.com/1256518"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-26T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-22776"
    },
    {
      "cve": "CVE-2026-28434",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-28434"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-28434",
          "url": "https://www.suse.com/security/cve/CVE-2026-28434"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259221 for CVE-2026-28434",
          "url": "https://bugzilla.suse.com/1259221"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-26T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-28434"
    },
    {
      "cve": "CVE-2026-28435",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-28435"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-28435",
          "url": "https://www.suse.com/security/cve/CVE-2026-28435"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259220 for CVE-2026-28435",
          "url": "https://bugzilla.suse.com/1259220"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-26T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-28435"
    },
    {
      "cve": "CVE-2026-29076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-29076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-29076",
          "url": "https://www.suse.com/security/cve/CVE-2026-29076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259373 for CVE-2026-29076",
          "url": "https://bugzilla.suse.com/1259373"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-26T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-29076"
    },
    {
      "cve": "CVE-2026-32627",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32627"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target - expired, self-signed, or forged - without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
          "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32627",
          "url": "https://www.suse.com/security/cve/CVE-2026-32627"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259723 for CVE-2026-32627",
          "url": "https://bugzilla.suse.com/1259723"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:cpp-httplib-devel-0.38.0-1.1.x86_64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.aarch64",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.s390x",
            "openSUSE Tumbleweed:libcpp-httplib0_38-0.38.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-26T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32627"
    }
  ]
}

CVE-2026-28434 (GCVE-0-2026-28434)

Vulnerability from cvelistv5 – Published: 2026-03-04 19:34 – Updated: 2026-03-04 20:55

Title

cpp-httplib's default exception handler leaks e.what() to clients via EXCEPTION_WHAT response header

Summary

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/yhirose/cpp-httplib/security/a…	x_refsource_CONFIRM
	https://github.com/yhirose/cpp-httplib/commit/def…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	yhirose	cpp-httplib	Affected: < 0.35.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28434",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T20:45:05.207964Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-04T20:55:40.320Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cpp-httplib",
          "vendor": "yhirose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.35.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-04T19:34:30.486Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8mpw-r4gc-xm7q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8mpw-r4gc-xm7q"
        },
        {
          "name": "https://github.com/yhirose/cpp-httplib/commit/defd907c7469c5c8281247b73bbd07be24c31164",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/commit/defd907c7469c5c8281247b73bbd07be24c31164"
        }
      ],
      "source": {
        "advisory": "GHSA-8mpw-r4gc-xm7q",
        "discovery": "UNKNOWN"
      },
      "title": "cpp-httplib\u0027s default exception handler leaks e.what() to clients via EXCEPTION_WHAT response header"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28434",
    "datePublished": "2026-03-04T19:34:30.486Z",
    "dateReserved": "2026-02-27T15:54:05.138Z",
    "dateUpdated": "2026-03-04T20:55:40.320Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32627 (GCVE-0-2026-32627)

Vulnerability from cvelistv5 – Published: 2026-03-13 20:48 – Updated: 2026-03-16 15:41

Title

cpp-httplib has a Silent TLS Certificate Verification Bypass on HTTPS Redirect via Proxy

Summary

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target — expired, self-signed, or forged — without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.

Severity ?

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-295 - Improper Certificate Validation

Assigner

GitHub_M

References

URL

Tags

https://github.com/yhirose/cpp-httplib/security/a…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	yhirose	cpp-httplib	Affected: < 0.37.2

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32627",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-16T15:27:59.309320Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-16T15:41:05.578Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cpp-httplib",
          "vendor": "yhirose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.37.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target \u2014 expired, self-signed, or forged \u2014 without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-13T20:48:14.442Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g"
        }
      ],
      "source": {
        "advisory": "GHSA-c3h8-fqq4-xm4g",
        "discovery": "UNKNOWN"
      },
      "title": "cpp-httplib has a Silent TLS Certificate Verification Bypass on HTTPS Redirect via Proxy"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32627",
    "datePublished": "2026-03-13T20:48:14.442Z",
    "dateReserved": "2026-03-12T15:29:36.558Z",
    "dateUpdated": "2026-03-16T15:41:05.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28435 (GCVE-0-2026-28435)

Vulnerability from cvelistv5 – Published: 2026-03-04 19:36 – Updated: 2026-03-04 20:39

Title

Payload size limit bypass via gzip decompression in ContentReader (streaming) allows oversized request bodies in cpp-httplib

Summary

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption
CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/yhirose/cpp-httplib/security/a…	x_refsource_CONFIRM
	https://github.com/yhirose/cpp-httplib/commit/c99…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	yhirose	cpp-httplib	Affected: < 0.35.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28435",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T20:37:10.788317Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-04T20:39:46.131Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cpp-httplib",
          "vendor": "yhirose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.35.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-409",
              "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-04T19:36:33.418Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xvfx-w463-6fpp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xvfx-w463-6fpp"
        },
        {
          "name": "https://github.com/yhirose/cpp-httplib/commit/c99d7472b5cf4869d3897b9afc9792063a3d15a8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/commit/c99d7472b5cf4869d3897b9afc9792063a3d15a8"
        }
      ],
      "source": {
        "advisory": "GHSA-xvfx-w463-6fpp",
        "discovery": "UNKNOWN"
      },
      "title": "Payload size limit bypass via gzip decompression in ContentReader (streaming) allows oversized request bodies in cpp-httplib"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28435",
    "datePublished": "2026-03-04T19:36:33.418Z",
    "dateReserved": "2026-02-27T15:54:05.139Z",
    "dateUpdated": "2026-03-04T20:39:46.131Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29076 (GCVE-0-2026-29076)

Vulnerability from cvelistv5 – Published: 2026-03-07 16:08 – Updated: 2026-03-09 18:25

Title

cpp-httplib: Stack Overflow Denial of Service (DoS) via std::regex in multipart filename parsing

Summary

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-674 - Uncontrolled Recursion
CWE-1333 - Inefficient Regular Expression Complexity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/yhirose/cpp-httplib/security/a…	x_refsource_CONFIRM
	https://github.com/yhirose/cpp-httplib/commit/de2…	x_refsource_MISC
	https://github.com/yhirose/cpp-httplib/releases/t…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	yhirose	cpp-httplib	Affected: < 0.37.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29076",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T17:52:24.982073Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T18:25:58.815Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cpp-httplib",
          "vendor": "yhirose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.37.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-07T16:08:56.048Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69"
        },
        {
          "name": "https://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6"
        },
        {
          "name": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0"
        }
      ],
      "source": {
        "advisory": "GHSA-qq6v-r583-3h69",
        "discovery": "UNKNOWN"
      },
      "title": "cpp-httplib: Stack Overflow Denial of Service (DoS) via std::regex in multipart filename parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29076",
    "datePublished": "2026-03-07T16:08:56.048Z",
    "dateReserved": "2026-03-03T20:51:43.483Z",
    "dateUpdated": "2026-03-09T18:25:58.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21428 (GCVE-0-2026-21428)

Vulnerability from cvelistv5 – Published: 2026-01-01 17:54 – Updated: 2026-01-02 18:50

Title

cpp-httplib has CRLF injection in http headers

Summary

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.

Severity ?

7.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

CWE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/yhirose/cpp-httplib/security/a…	x_refsource_CONFIRM
	https://github.com/yhirose/cpp-httplib/commit/980…	x_refsource_MISC
	https://github.com/yhirose/cpp-httplib/releases/t…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	yhirose	cpp-httplib	Affected: < 0.30.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21428",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-02T18:50:07.704892Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-02T18:50:20.380Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cpp-httplib",
          "vendor": "yhirose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.30.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR \u0026 LF characters in user supplied headers, allowing untrusted header value to escape header lines.\nThis vulnerability allows attackers to add extra headers, modify request body unexpectedly \u0026 trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-01T17:54:43.959Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7"
        },
        {
          "name": "https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd"
        },
        {
          "name": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0"
        }
      ],
      "source": {
        "advisory": "GHSA-wpc6-j37r-jcx7",
        "discovery": "UNKNOWN"
      },
      "title": "cpp-httplib has CRLF injection in http headers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-21428",
    "datePublished": "2026-01-01T17:54:43.959Z",
    "dateReserved": "2025-12-29T03:00:29.274Z",
    "dateUpdated": "2026-01-02T18:50:20.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22776 (GCVE-0-2026-22776)

Vulnerability from cvelistv5 – Published: 2026-01-12 18:18 – Updated: 2026-01-12 18:49

Title

cpp-httplib vulnerable to a denial of service (DOS) using a zip bomb

Summary

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/yhirose/cpp-httplib/security/a…	x_refsource_CONFIRM
	https://github.com/yhirose/cpp-httplib/commit/2e2…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	yhirose	cpp-httplib	Affected: < 0.30.1

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22776",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-12T18:49:48.624328Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-12T18:49:59.317Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cpp-httplib",
          "vendor": "yhirose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.30.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-409",
              "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-12T18:18:01.527Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q"
        },
        {
          "name": "https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792"
        }
      ],
      "source": {
        "advisory": "GHSA-h934-98h4-j43q",
        "discovery": "UNKNOWN"
      },
      "title": "cpp-httplib vulnerable to a denial of service (DOS) using a zip bomb"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22776",
    "datePublished": "2026-01-12T18:18:01.527Z",
    "dateReserved": "2026-01-09T18:27:19.388Z",
    "dateUpdated": "2026-01-12T18:49:59.317Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.