What is the CVSS score of CVE-2026-40562?

CVE-2026-40562 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Gazelle are affected by CVE-2026-40562?

Gazelle web server versions through 0.49 contain an HTTP request smuggling vulnerability that allows unauthenticated attackers to bypass proxy security controls and inject malicious requests directly…. A patch is available.

Gazelle CVE-2026-40562

EUVD-2026-27825 HIGH

HTTP Request/Response Smuggling (CWE-444)

2026-05-06 CPANSec

GHSA-mjw2-gf6p-382h

Information Disclosure Request Smuggling

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 06, 2026 - 16:31 vuln.today

CVSS changed

May 06, 2026 - 15:22 NVD

7.5 (None) 7.5 (HIGH)

DescriptionNVD

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

AnalysisAI

HTTP Request Smuggling in Gazelle (Perl web server) versions through 0.49 enables attackers to smuggle malicious requests through reverse proxies by exploiting incorrect header precedence. Gazelle violates RFC 7230 by prioritizing Content-Length over Transfer-Encoding: chunked when both headers are present, allowing desynchronization between front-end proxies and the backend server. …

RemediationAI

Within 24 hours: Identify all Gazelle instances in production via asset inventory and verify current versions against 0.49. Within 7 days: Apply vendor-released patch from CPANSec to all affected Gazelle deployments; test in staging environment first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40562 vulnerability details – vuln.today

Back

Gazelle CVE-2026-40562

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code