Severity by source
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.
AnalysisAI
A flaw was found in libsoup, a library used by applications to send network requests.
Technical ContextAI
Server-Side Request Forgery allows an attacker to induce the server to make HTTP requests to arbitrary destinations, including internal services.
RemediationAI
Validate and whitelist allowed URLs and IP ranges. Block requests to internal/private IP ranges. Use network segmentation to limit server-side request scope.
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| upstream | needs-triage | - |
| bionic | deferred | 2026-03-11 |
| focal | deferred | 2026-03-11 |
| jammy | deferred | 2026-03-11 |
| noble | deferred | 2026-03-11 |
| questing | deferred | 2026-03-11 |
| xenial | deferred | 2026-03-11 |
| Release | Status | Version |
|---|---|---|
| upstream | needs-triage | - |
| jammy | deferred | 2026-03-11 |
| noble | deferred | 2026-03-11 |
| questing | deferred | 2026-03-11 |
Debian
Bug #1130499| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 2.72.0-2 | - |
| bullseye (security) | vulnerable | 2.72.0-2+deb11u3 | - |
| bookworm | vulnerable | 2.74.3-1+deb12u1 | - |
| trixie | vulnerable | 2.74.3-10.1 | - |
| (unstable) | fixed | (unfixed) | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 3.2.3-0+deb12u2 | - |
| trixie | vulnerable | 3.6.5-3 | - |
| forky, sid | vulnerable | 3.6.6-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12559