Skip to main content

Liteide EUVDEUVD-2026-14701

| CVE-2026-4742 LOW
HTTP Request/Response Smuggling (CWE-444)
2026-03-24 GovTech CSG GHSA-cf47-c3cp-r84w
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
N

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 03:30 euvd
EUVD-2026-14701
Analysis Generated
Mar 24, 2026 - 03:30 vuln.today
Patch released
Mar 24, 2026 - 03:30 nvd
Patch available
CVE Published
Mar 24, 2026 - 03:24 nvd
LOW 2.9

DescriptionCVE.org

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in visualfc liteide (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules). This vulnerability is associated with program files http_parser.C.

This issue affects liteide: before x38.4.

AnalysisAI

An HTTP Request/Response Smuggling vulnerability exists in visualfc liteide due to inconsistent interpretation of HTTP requests in the HTTP parser component (http_parser.C), classified under CWE-444. This affects liteide versions before x38.4, allowing attackers to exploit the qjsonrpc HTTP parser module to smuggle malicious requests. An attacker could leverage this vulnerability to perform request smuggling attacks, potentially leading to cache poisoning, session hijacking, or information disclosure depending on the deployment context and HTTP intermediaries involved.

Technical ContextAI

The vulnerability resides in the liteide HTTP parser implementation (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules, specifically http_parser.C), which is responsible for parsing HTTP requests in the qjsonrpc library integrated into liteide. CWE-444 (Inconsistent Interpretation of HTTP Requests, also known as HTTP Request Smuggling) occurs when an HTTP parser fails to consistently interpret ambiguous or malformed HTTP request boundaries, particularly around Content-Length and Transfer-Encoding headers. The affected product is visualfc liteide as identified by CPE cpe:2.3:a:visualfc:liteide:*:*:*:*:*:*:*:*, with the flaw originating in third-party parsing logic. When multiple HTTP processing layers (client, intermediary, server) interpret request boundaries differently, attackers can smuggle additional requests through the connection, bypassing security controls.

RemediationAI

Upgrade visualfc liteide to version x38.4 or later immediately. The vendor has released a patch available at https://github.com/visualfc/liteide/pull/1325 (PR #1325) that addresses the HTTP parser inconsistency. Users unable to upgrade immediately should restrict network exposure of any HTTP services provided by liteide, disable or isolate qjsonrpc endpoints if not required, and ensure liteide instances are deployed only within trusted networks behind firewalls. If liteide is used in a multi-user or server context, prioritize patching as the primary remediation.

Share

EUVD-2026-14701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy