Skip to main content

Http

8 CVEs product

Monthly

CVE-2026-7017 HIGH PATCH This Week

Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect destination harvest sensitive headers. When a server answers with a 3xx redirect, HTTP::Tiny re-sends caller-supplied Authorization, Cookie and Proxy-Authorization headers to the new host without verifying it shares the original origin, including across scheme, host or port boundaries and over https-to-http downgrades that expose them in cleartext on the wire. No public exploit is identified at time of analysis and CISA SSVC rates exploitation as none, but the flaw is well-documented and a vendor patch is available in 0.095.

Information Disclosure Http
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-7010 MEDIUM PATCH This Month

HTTP::Tiny versions before 0.093 for Perl fail to validate carriage return and line feed (CRLF) characters in HTTP request lines and header values, allowing attackers who control input URLs or headers to inject additional HTTP headers and smuggle requests to upstream servers. Remote unauthenticated attackers can exploit this via crafted URLs passed to webhook or URL fetch endpoints, achieving limited information disclosure and integrity compromise. EPSS score of 0.03% (percentile 7%) indicates low practical exploitation probability despite network-vector accessibility.

Code Injection Http Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3256 CRITICAL Act Now

HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids.

Information Disclosure Http
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2018-25160 MEDIUM This Month

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. [CVSS 6.5 MEDIUM]

Code Injection Http
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2023-26044 PHP MEDIUM PATCH This Month

react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Http
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2022-36032 PHP MEDIUM PATCH This Month

ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Http
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2020-35669 MEDIUM POC This Month

An issue was discovered in the http package through 0.12.2 for Dart. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Http
NVD GitHub
CVSS 3.1
6.1
EPSS
2.2%
CVE-2020-25574 Cargo HIGH POC PATCH This Week

An issue was discovered in the http crate before 0.1.20 for Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Integer Overflow Http
NVD GitHub
CVSS 3.1
7.5
EPSS
2.4%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect destination harvest sensitive headers. When a server answers with a 3xx redirect, HTTP::Tiny re-sends caller-supplied Authorization, Cookie and Proxy-Authorization headers to the new host without verifying it shares the original origin, including across scheme, host or port boundaries and over https-to-http downgrades that expose them in cleartext on the wire. No public exploit is identified at time of analysis and CISA SSVC rates exploitation as none, but the flaw is well-documented and a vendor patch is available in 0.095.

Information Disclosure Http
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

HTTP::Tiny versions before 0.093 for Perl fail to validate carriage return and line feed (CRLF) characters in HTTP request lines and header values, allowing attackers who control input URLs or headers to inject additional HTTP headers and smuggle requests to upstream servers. Remote unauthenticated attackers can exploit this via crafted URLs passed to webhook or URL fetch endpoints, achieving limited information disclosure and integrity compromise. EPSS score of 0.03% (percentile 7%) indicates low practical exploitation probability despite network-vector accessibility.

Code Injection Http Suse
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids.

Information Disclosure Http
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. [CVSS 6.5 MEDIUM]

Code Injection Http
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Http
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Http
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC This Month

An issue was discovered in the http package through 0.12.2 for Dart. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Http
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

An issue was discovered in the http crate before 0.1.20 for Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Integer Overflow Http
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy