Monthly
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.
Apache Traffic Server versions 9.0.0-9.2.12 and 10.0.0-10.1.1 are vulnerable to HTTP request smuggling through malformed chunked transfer encoding, allowing attackers to bypass security controls and smuggle malicious requests. The vulnerability stems from improper parsing of chunked messages (CWE-444: Inconsistent Interpretation of HTTP Requests) and affects all deployments using these versions as reverse proxies or intermediaries. Apache has released patched versions 9.2.13 and 10.1.2; no public exploit code or active exploitation has been reported at the time of analysis.
IBM Verify Identity Access and Security Verify Access versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 allow unauthenticated remote attackers to access sensitive information through HTTP request smuggling via inconsistent interpretation of HTTP requests by a reverse proxy. The vulnerability affects both container and non-container deployments and has a CVSS score of 5.3 with confirmed vendor patch availability.
Remote attackers can access sensitive information in IBM Verify Identity Access Container 11.0-11.0.2, IBM Security Verify Access Container 10.0-10.0.9.1, and their non-containerized counterparts through HTTP request smuggling. The vulnerability exploits inconsistent HTTP request interpretation between the application and its reverse proxy, allowing unauthenticated remote access to restricted data with low attack complexity.
HTTP Request Smuggling in cpp-httplib prior to 0.40.0 allows remote attackers to inject arbitrary HTTP requests on HTTP/1.1 keep-alive connections by embedding malicious request data in the body of GET requests that the static file handler does not consume. The unread body bytes remain on the TCP stream and are interpreted as a new request, enabling information disclosure and request manipulation without authentication or user interaction.
Undertow's improper handling of HTTP requests with leading whitespace in header lines enables remote, unauthenticated request smuggling attacks (CWE-444) against Red Hat middleware and enterprise products. Attackers can exploit this HTTP standard violation to bypass security controls, access restricted data, or poison web caches across a wide deployment base including JBoss EAP 7/8, Red Hat Fuse 7, Data Grid 8, and RHEL 8/9/10 distributions. The CVSS score of 8.7 with changed scope (S:C) and high attack complexity (AC:H) indicates significant impact potential, though no public exploit identified at time of analysis.
Undertow HTTP request smuggling via malformed header terminator allows remote unauthenticated attackers to bypass security controls and manipulate web requests through vulnerable proxies including older Apache Traffic Server and Google Cloud Classic Application Load Balancer. With CVSS 8.7 (High/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N), the vulnerability affects multiple Red Hat product lines including JBoss EAP 7 and 8, Fuse 7, Data Grid 8, and RHEL 8-10 distributions. No public exploit identified at time of analysis, though the attack vector is network-accessible and requires no authentication.
Undertow header parsing discrepancies enable HTTP request smuggling attacks against Red Hat middleware and enterprise platforms, allowing remote unauthenticated attackers to bypass security controls and access unauthorized resources. The vulnerability affects multiple Red Hat products including JBoss Enterprise Application Platform 7 and 8, Data Grid 8, Fuse 7, Single Sign-On 7, and Enterprise Linux 8, 9, and 10 distributions. With a CVSS score of 8.7 and changed scope (S:C), attackers can exploit inconsistent header interpretation between Undertow and upstream proxies to smuggle malicious requests past authentication and authorization mechanisms, achieving high confidentiality and integrity impact without requiring authentication.
CVE-2026-33870 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.
Apache Traffic Server versions 9.0.0-9.2.12 and 10.0.0-10.1.1 are vulnerable to HTTP request smuggling through malformed chunked transfer encoding, allowing attackers to bypass security controls and smuggle malicious requests. The vulnerability stems from improper parsing of chunked messages (CWE-444: Inconsistent Interpretation of HTTP Requests) and affects all deployments using these versions as reverse proxies or intermediaries. Apache has released patched versions 9.2.13 and 10.1.2; no public exploit code or active exploitation has been reported at the time of analysis.
IBM Verify Identity Access and Security Verify Access versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 allow unauthenticated remote attackers to access sensitive information through HTTP request smuggling via inconsistent interpretation of HTTP requests by a reverse proxy. The vulnerability affects both container and non-container deployments and has a CVSS score of 5.3 with confirmed vendor patch availability.
Remote attackers can access sensitive information in IBM Verify Identity Access Container 11.0-11.0.2, IBM Security Verify Access Container 10.0-10.0.9.1, and their non-containerized counterparts through HTTP request smuggling. The vulnerability exploits inconsistent HTTP request interpretation between the application and its reverse proxy, allowing unauthenticated remote access to restricted data with low attack complexity.
HTTP Request Smuggling in cpp-httplib prior to 0.40.0 allows remote attackers to inject arbitrary HTTP requests on HTTP/1.1 keep-alive connections by embedding malicious request data in the body of GET requests that the static file handler does not consume. The unread body bytes remain on the TCP stream and are interpreted as a new request, enabling information disclosure and request manipulation without authentication or user interaction.
Undertow's improper handling of HTTP requests with leading whitespace in header lines enables remote, unauthenticated request smuggling attacks (CWE-444) against Red Hat middleware and enterprise products. Attackers can exploit this HTTP standard violation to bypass security controls, access restricted data, or poison web caches across a wide deployment base including JBoss EAP 7/8, Red Hat Fuse 7, Data Grid 8, and RHEL 8/9/10 distributions. The CVSS score of 8.7 with changed scope (S:C) and high attack complexity (AC:H) indicates significant impact potential, though no public exploit identified at time of analysis.
Undertow HTTP request smuggling via malformed header terminator allows remote unauthenticated attackers to bypass security controls and manipulate web requests through vulnerable proxies including older Apache Traffic Server and Google Cloud Classic Application Load Balancer. With CVSS 8.7 (High/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N), the vulnerability affects multiple Red Hat product lines including JBoss EAP 7 and 8, Fuse 7, Data Grid 8, and RHEL 8-10 distributions. No public exploit identified at time of analysis, though the attack vector is network-accessible and requires no authentication.
Undertow header parsing discrepancies enable HTTP request smuggling attacks against Red Hat middleware and enterprise platforms, allowing remote unauthenticated attackers to bypass security controls and access unauthorized resources. The vulnerability affects multiple Red Hat products including JBoss Enterprise Application Platform 7 and 8, Data Grid 8, Fuse 7, Single Sign-On 7, and Enterprise Linux 8, 9, and 10 distributions. With a CVSS score of 8.7 and changed scope (S:C), attackers can exploit inconsistent header interpretation between Undertow and upstream proxies to smuggle malicious requests past authentication and authorization mechanisms, achieving high confidentiality and integrity impact without requiring authentication.
CVE-2026-33870 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.