Skip to main content

Starlet EUVD-2026-26806

| CVE-2026-40561 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-05-03 CPANSec
Information Disclosure Request Smuggling
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

7
Source Code Evidence Fetched
May 04, 2026 - 14:22 vuln.today
Analysis Generated
May 04, 2026 - 14:22 vuln.today
CVSS changed
May 04, 2026 - 14:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
May 03, 2026 - 01:15 euvd
EUVD-2026-26806
Analysis Generated
May 03, 2026 - 01:15 vuln.today
Patch released
May 03, 2026 - 01:15 nvd
Patch available
CVE Published
May 03, 2026 - 00:57 nvd
MEDIUM 5.3

DescriptionNVD

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

AnalysisAI

HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-26806 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy