Skip to main content

Lighttpd

14 CVEs product

Monthly

CVE-2025-12642 MEDIUM PATCH This Month

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Authentication Bypass Lighttpd
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2022-41556 HIGH POC PATCH This Week

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Lighttpd Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
2.7%
CVE-2022-37797 HIGH POC This Week

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Lighttpd Debian Linux
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2022-30780 HIGH POC PATCH THREAT This Week

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Lighttpd
NVD GitHub
CVSS 3.1
7.5
EPSS
56.4%
CVE-2019-11072 CRITICAL POC PATCH THREAT Act Now

lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Integer Overflow Lighttpd
NVD GitHub
CVSS 3.0
9.8
EPSS
73.8%
CVE-2018-19052 HIGH POC PATCH THREAT This Week

An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Lighttpd Backports Sle Leap Suse Linux Enterprise Server +1
NVD GitHub
CVSS 3.1
7.5
EPSS
14.1%
CVE-2015-3200 HIGH POC THREAT Act Now

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.0%.

Code Injection Lighttpd Virtual Customer Access System Solaris
NVD
CVSS 3.0
7.5
EPSS
20.0%
CVE-2014-2324 MEDIUM POC PATCH THREAT This Month

Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 71.7%.

Path Traversal Lighttpd Debian Linux Opensuse Linux Enterprise High Availability Extension +2
NVD VulDB
CVSS 2.0
5.0
EPSS
71.7%
Threat
4.7
CVE-2014-2323 CRITICAL POC PATCH THREAT Act Now

SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.4%.

SQLi Lighttpd Debian Linux Opensuse Linux Enterprise High Availability Extension +1
NVD VulDB
CVSS 3.1
9.8
EPSS
90.4%
Threat
6.2
CVE-2013-4559 HIGH This Week

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Lighttpd Debian Linux Opensuse
NVD
CVSS 2.0
7.6
EPSS
9.5%
CVE-2013-4560 MEDIUM This Month

Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Memory Corruption Use After Free Lighttpd Debian Linux +1
NVD
CVSS 2.0
5.0
EPSS
6.8%
CVE-2013-4508 HIGH POC This Week

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Lighttpd Debian Linux Opensuse
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2013-1427 LOW Monitor

The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP. Rated low severity (CVSS 1.9). No vendor patch available.

PHP Debian Authentication Bypass Lighttpd
NVD
CVSS 2.0
1.9
EPSS
0.0%
CVE-2012-5533 MEDIUM POC PATCH THREAT This Month

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 37.9%.

Denial Of Service Lighttpd
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
37.9%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Authentication Bypass Lighttpd
NVD GitHub VulDB
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Lighttpd Fedora
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC This Week

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Lighttpd +1
NVD
EPSS 56% CVSS 7.5
HIGH POC PATCH THREAT This Week

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Lighttpd
NVD GitHub
EPSS 74% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Integer Overflow Lighttpd
NVD GitHub
EPSS 14% CVSS 7.5
HIGH POC PATCH THREAT This Week

An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Lighttpd Backports Sle +3
NVD GitHub
EPSS 20% CVSS 7.5
HIGH POC THREAT Act Now

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.0%.

Code Injection Lighttpd Virtual Customer Access System +1
NVD
EPSS 72% 4.7 CVSS 5.0
MEDIUM POC PATCH THREAT This Month

Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 71.7%.

Path Traversal Lighttpd Debian Linux +4
NVD VulDB
EPSS 90% 6.2 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.4%.

SQLi Lighttpd Debian Linux +3
NVD VulDB
EPSS 10% CVSS 7.6
HIGH This Week

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Lighttpd Debian Linux +1
NVD
EPSS 7% CVSS 5.0
MEDIUM This Month

Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Memory Corruption Use After Free +3
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Lighttpd Debian Linux +1
NVD
EPSS 0% CVSS 1.9
LOW Monitor

The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP. Rated low severity (CVSS 1.9). No vendor patch available.

PHP Debian Authentication Bypass +1
NVD
EPSS 38% CVSS 5.0
MEDIUM POC PATCH THREAT This Month

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 37.9%.

Denial Of Service Lighttpd
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy