Skip to main content

Request Smuggling

253 CVEs technique

Monthly

CVE-2024-52304 PyPI MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Authentication Bypass Python Request Smuggling Aiohttp
NVD GitHub
CVSS 4.0
6.3
EPSS
0.6%
CVE-2024-52530 HIGH POC This Week

GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Libsoup
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-44775 HIGH This Week

kmqtt v0.2.7 is vulnerable to Denial of Service (DoS) due to a Null Pointer Exception. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Request Smuggling Kmqtt
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-21281 MEDIUM This Month

Vulnerability in the Oracle Banking Liquidity Management product of Oracle Financial Services Applications (component: Infrastructure). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Request Smuggling Denial Of Service Oracle Banking Liquidity Management
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-8912 HIGH This Week

An HTTP Request Smuggling vulnerability in Looker allowed an unauthorized attacker to capture HTTP responses destined for legitimate users. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Request Smuggling Google Cloud Looker
NVD
CVSS 4.0
8.9
EPSS
0.2%
CVE-2024-9622 Maven MEDIUM This Month

A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2024-8925 MEDIUM POC This Month

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Request Smuggling Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2024-34535 MEDIUM This Month

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Request Smuggling Mastodon
NVD GitHub
CVSS 3.1
5.9
EPSS
0.4%
CVE-2024-42342 MEDIUM This Month

Loway - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Queuemetrics
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-27185 CRITICAL Act Now

The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Joomla
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2024-35161 HIGH This Week

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure Traffic Server
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-38494 HIGH This Week

This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD
CVSS 4.0
8.6
EPSS
0.6%
CVE-2024-22279 HIGH This Week

Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Cf Deployment Routing Release
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-23316 HIGH This Week

HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD
CVSS 4.0
8.8
EPSS
0.5%
CVE-2024-34350 npm HIGH PATCH This Week

Next.js is a React framework that can provide building blocks to create web applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Next Js
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-32638 MEDIUM This Month

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.8.0, 3.9.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure Apisix
NVD
CVSS 3.1
6.3
EPSS
1.1%
CVE-2024-21088 HIGH This Week

Vulnerability in the Oracle Production Scheduling product of Oracle E-Business Suite (component: Import Utility). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Request Smuggling Oracle E Business Suite
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-1135 PyPI HIGH PATCH This Week

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD
CVSS 3.0
7.5
EPSS
3.0%
CVE-2024-27922 npm CRITICAL PATCH Act Now

TOMP Bare Server implements the TompHTTP bare server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Tomp Bare Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-22081 CRITICAL Act Now

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Request Smuggling G5Dfr Firmware
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-20915 MEDIUM This Month

Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Login - SSO). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Denial Of Service Oracle Application Object Library
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-23452 HIGH PATCH This Week

Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Apache Request Smuggling Information Disclosure Brpc
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2024-21647 Ruby MEDIUM PATCH This Month

Puma is a web server for Ruby/Rack applications built for parallelism. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Puma
NVD GitHub
CVSS 3.1
5.9
EPSS
2.5%
CVE-2023-51701 npm MEDIUM PATCH This Month

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Authentication Bypass Reply From
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2023-49584 MEDIUM This Month

SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Request Smuggling Fiori Launchpad
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-46589 Maven HIGH POC PATCH This Week

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tomcat Apache Information Disclosure Request Smuggling
NVD
CVSS 3.1
7.5
EPSS
2.7%
CVE-2023-48365 CRITICAL KEV THREAT Act Now

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Request Smuggling Microsoft Qlik Sense
NVD
CVSS 3.1
9.9
EPSS
24.7%
CVE-2023-46121 PyPI LOW PATCH Monitor

yt-dlp is a youtube-dl fork with additional features and fixes. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Yt Dlp
NVD GitHub
CVSS 3.1
3.7
EPSS
0.3%
CVE-2023-47641 PyPI MEDIUM POC PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Open Redirect Aiohttp
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-47627 PyPI HIGH POC PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Information Disclosure Aiohttp
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2023-46846 MEDIUM This Month

SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Squid Enterprise Linux Enterprise Linux Eus +5
NVD GitHub
CVSS 3.1
5.3
EPSS
5.3%
CVE-2023-46137 PyPI MEDIUM POC PATCH This Month

Twisted is an event-based framework for internet applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Twisted
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2023-30910 MEDIUM This Month

HPE MSA Controller prior to version IN210R004 could be remotely exploited to allow inconsistent interpretation of HTTP requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Msa 1060 Storage Firmware Msa 2060 Storage Firmware Msa 2062 Storage Firmware
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-41265 CRITICAL POC KEV THREAT Act Now

An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier,. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Microsoft Qlik Sense
NVD
CVSS 3.1
9.9
EPSS
85.0%
CVE-2023-40175 Ruby CRITICAL PATCH Act Now

Puma is a Ruby/Rack web server built for parallelism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Puma
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-40225 HIGH POC PATCH This Week

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Haproxy
NVD GitHub
CVSS 3.1
7.2
EPSS
1.8%
CVE-2023-33934 CRITICAL Act Now

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.2.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling Traffic Server
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2023-38697 Ruby MEDIUM PATCH This Month

protocol-http1 provides a low-level implementation of the HTTP/1 protocol. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Authentication Bypass Protocol Http1
NVD GitHub
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-34037 MEDIUM This Month

VMware Horizon Server contains a HTTP request smuggling vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure VMware Request Smuggling Horizon Client
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-37276 PyPI HIGH POC PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Information Disclosure Aiohttp
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-33987 CRITICAL Act Now

An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49,. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Request Smuggling Web Dispatcher
NVD
CVSS 3.1
9.4
EPSS
0.7%
CVE-2023-33193 CRITICAL POC Act Now

Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Emby Releases
NVD GitHub
CVSS 3.1
9.1
EPSS
1.7%
CVE-2023-27238 PHP CRITICAL Act Now

LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Lavalite
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2023-25950 HIGH This Week

HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Haproxy
NVD
CVSS 3.1
7.3
EPSS
2.9%
CVE-2023-29141 PHP CRITICAL PATCH Act Now

An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Mediawiki Fedora
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2023-27522 PyPI HIGH PATCH This Week

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.4.30 through 2.4.55. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling Http Server Debian Linux +1
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2023-25690 CRITICAL Act Now

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Authentication Bypass Http Server
NVD
CVSS 3.1
9.8
EPSS
83.8%
CVE-2023-25725 CRITICAL Act Now

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Authentication Bypass Haproxy Debian Linux
NVD
CVSS 3.1
9.1
EPSS
5.5%
CVE-2023-23691 HIGH This Week

Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Request Smuggling Dell Powervault Me5012 Firmware Powervault Me5024 Firmware +1
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2022-35256 MEDIUM POC This Month

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Node Js Llhttp Sinec Ins +1
NVD
CVSS 3.1
6.5
EPSS
2.6%
CVE-2022-45059 HIGH This Week

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Varnish Cache Fedora
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-42252 Maven HIGH PATCH This Week

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Tomcat Request Smuggling Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-2880 Go HIGH POC PATCH This Week

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Go
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-21826 MEDIUM This Month

Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ivanti Request Smuggling XSS Connect Secure Pulse Connect Secure
NVD
CVSS 3.1
5.4
EPSS
45.2%
CVE-2022-2466 Maven CRITICAL POC PATCH Act Now

It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Quarkus
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-33988 HIGH POC This Week

dproxy-nexgen (aka dproxy nexgen) re-uses the DNS transaction id (TXID) value from client queries, which allows attackers (able to send queries to the resolver) to conduct DNS cache-poisoning attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Dproxy Nexgen
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-1705 Go MEDIUM POC PATCH This Month

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Go
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2022-20713 MEDIUM This Month

A vulnerability in the VPN web client services component of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Cisco XSS Firepower Threat Defense Adaptive Security Appliance Software
NVD
CVSS 3.1
6.1
EPSS
1.3%
CVE-2022-25763 HIGH This Week

Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks.0.0 to 9.1.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling Traffic Server Debian Linux +1
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-32215 MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling Llhttp Node Js +4
NVD
CVSS 3.1
6.5
EPSS
68.8%
CVE-2022-32214 npm MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling Llhttp Node Js +2
NVD
CVSS 3.1
6.5
EPSS
81.5%
CVE-2022-32213 npm MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling Llhttp Node Js +4
NVD
CVSS 3.1
6.5
EPSS
42.0%
CVE-2022-31081 MEDIUM POC PATCH This Month

HTTP::Daemon is a simple http server class written in perl. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Apache Nginx Request Smuggling Debian Linux
NVD GitHub
CVSS 3.1
6.5
EPSS
2.1%
CVE-2022-26377 HIGH This Week

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Request Smuggling Http Server Fedora +1
NVD
CVSS 3.1
7.5
EPSS
19.0%
CVE-2022-29361 PyPI CRITICAL PATCH Act Now

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Werkzeug
NVD GitHub
CVSS 3.1
9.8
EPSS
7.7%
CVE-2022-0552 MEDIUM PATCH This Month

A flaw was found in the original fix for the netty-codec-http CVE-2021-21409, where the OpenShift Logging openshift-logging/elasticsearch6-rhel8 container was incomplete. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Origin Aggregated Logging
NVD GitHub
CVSS 3.1
5.9
EPSS
1.1%
CVE-2022-24801 PyPI HIGH PATCH This Week

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Python Request Smuggling Twisted Debian Linux +2
NVD GitHub
CVSS 3.1
8.1
EPSS
2.8%
CVE-2022-24790 Ruby HIGH PATCH This Week

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Puma Debian Linux Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2022-24766 PyPI CRITICAL PATCH Act Now

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Mitmproxy
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2022-24761 PyPI HIGH PATCH This Week

Waitress is a Web Server Gateway Interface server for Python 2 and 3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Python Request Smuggling Waitress Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2022-22720 CRITICAL PATCH Act Now

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Apache Request Smuggling Http Server Fedora +5
NVD
CVSS 3.1
9.8
EPSS
28.2%
CVE-2021-41442 HIGH This Week

An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling D-Link Dir X1860 Firmware
NVD VulDB
CVSS 3.1
7.5
EPSS
4.6%
CVE-2021-41451 HIGH This Week

A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP-Link AX10v1 before V1_211117 allows a remote unauthenticated attacker to send a specially crafted HTTP request and receive a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

TP-Link Request Smuggling Information Disclosure Archer Ax10 Firmware
NVD VulDB
CVSS 3.1
7.5
EPSS
3.2%
CVE-2021-43797 Maven MEDIUM PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Netty Quarkus Oncommand Workflow Automation +15
NVD GitHub
CVSS 3.1
6.5
EPSS
2.7%
CVE-2021-41450 HIGH This Week

An HTTP request smuggling attack in TP-Link AX10v1 before v1_211117 allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling TP-Link Archer Ax10 V1 Firmware
NVD VulDB
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-37253 HIGH POC This Week

M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Denial Of Service M Files Web
NVD
CVSS 3.1
7.5
EPSS
2.8%
CVE-2021-41267 PHP MEDIUM PATCH This Month

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling PHP Information Disclosure Symfony
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2021-41436 HIGH This Week

An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S),. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Gt Ax11000 Firmware Rt Ax3000 Firmware Rt Ax55 Firmware +15
NVD VulDB
CVSS 3.1
7.5
EPSS
4.6%
CVE-2021-43669 Go HIGH PATCH This Week

A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.0.1, v2.3.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Fabric
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-22959 MEDIUM POC PATCH This Month

The parser in accepts requests with a space (SP) right after the header name before the colon. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Llhttp Graalvm Debian Linux
NVD
CVSS 3.1
6.5
EPSS
2.9%
CVE-2021-43610 HIGH PATCH This Week

Belledonne Belle-sip before 5.0.20 can crash applications such as Linphone via an invalid From header (request URI without a parameter) in an unauthenticated SIP message, a different issue than. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Denial Of Service Belle Sip
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-22960 MEDIUM POC PATCH This Month

The parse function in llhttp < 2.1.4 and < 6.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Llhttp Graalvm Debian Linux
NVD
CVSS 3.1
6.5
EPSS
2.3%
CVE-2021-29991 HIGH This Week

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Request Smuggling Information Disclosure Firefox Thunderbird
NVD
CVSS 3.1
8.1
EPSS
0.9%
CVE-2021-41136 Ruby LOW PATCH Monitor

Puma is a HTTP 1.1 server for Ruby/Rack applications. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Apache Information Disclosure Puma Debian Linux
NVD GitHub
CVSS 3.1
3.7
EPSS
1.1%
CVE-2021-41732 HIGH POC This Week

An issue was discovered in zeek version 4.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Information Disclosure Zeek
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-31923 MEDIUM This Month

Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Pingaccess
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2021-39214 PyPI CRITICAL PATCH Act Now

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Mitmproxy
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-38162 CRITICAL POC Act Now

SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling SAP Web Dispatcher
NVD
CVSS 3.1
9.4
EPSS
2.7%
CVE-2021-34559 MEDIUM This Month

In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerability may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Wha Gw F2D2 0 As Z2 Eth Firmware Wha Gw F2D2 0 As Z2 Eth Eip Firmware
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2021-33056 HIGH PATCH This Week

Belledonne Belle-sip before 4.5.20, as used in Linphone and other products, can crash via an invalid From header in a SIP message. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Denial Of Service Belle Sip
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Authentication Bypass Python Request Smuggling +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Libsoup
NVD
EPSS 0% CVSS 7.5
HIGH This Week

kmqtt v0.2.7 is vulnerable to Denial of Service (DoS) due to a Null Pointer Exception. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Request Smuggling Kmqtt
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle Banking Liquidity Management product of Oracle Financial Services Applications (component: Infrastructure). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Request Smuggling Denial Of Service Oracle +1
NVD
EPSS 0% CVSS 8.9
HIGH This Week

An HTTP Request Smuggling vulnerability in Looker allowed an unauthorized attacker to capture HTTP responses destined for legitimate users. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Request Smuggling Google +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Request Smuggling Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Request Smuggling Mastodon
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Loway - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Queuemetrics
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Joomla
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure +1
NVD
EPSS 1% CVSS 8.6
HIGH This Week

This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Cf Deployment +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Next.js is a React framework that can provide building blocks to create web applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Next Js
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM This Month

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.8.0, 3.9.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Vulnerability in the Oracle Production Scheduling product of Oracle E-Business Suite (component: Import Utility). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Request Smuggling Oracle +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

TOMP Bare Server implements the TompHTTP bare server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Tomp Bare Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Request Smuggling G5Dfr Firmware
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Login - SSO). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Denial Of Service Oracle +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Apache Request Smuggling Information Disclosure +1
NVD GitHub
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

Puma is a web server for Ruby/Rack applications built for parallelism. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Puma
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Authentication Bypass Reply From
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure Request Smuggling +1
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tomcat Apache Information Disclosure +1
NVD
EPSS 25% CVSS 9.9
CRITICAL KEV THREAT Act Now

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Request Smuggling Microsoft +1
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

yt-dlp is a youtube-dl fork with additional features and fixes. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Yt Dlp
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Open Redirect +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Information Disclosure +1
NVD GitHub
EPSS 5% CVSS 5.3
MEDIUM This Month

SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Squid +7
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Twisted is an event-based framework for internet applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Twisted
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

HPE MSA Controller prior to version IN210R004 could be remotely exploited to allow inconsistent interpretation of HTTP requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Msa 1060 Storage Firmware +2
NVD
EPSS 85% CVSS 9.9
CRITICAL POC KEV THREAT Act Now

An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier,. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Microsoft +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Puma is a Ruby/Rack web server built for parallelism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Puma
NVD GitHub
EPSS 2% CVSS 7.2
HIGH POC PATCH This Week

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Haproxy
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL Act Now

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.2.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

protocol-http1 provides a low-level implementation of the HTTP/1 protocol. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Authentication Bypass Protocol Http1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

VMware Horizon Server contains a HTTP request smuggling vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure VMware Request Smuggling +1
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Request Smuggling Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 9.4
CRITICAL Act Now

An unauthenticated attacker in SAP Web Dispatcher - versions WEBDISP 7.49, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.81, WEBDISP 7.85, WEBDISP 7.88, WEBDISP 7.89, WEBDISP 7.90, KERNEL 7.49,. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Information Disclosure Request Smuggling +1
NVD
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Emby Releases
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

LavaLite CMS v 9.0.0 was discovered to be vulnerable to web cache poisoning. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Lavalite
NVD GitHub
EPSS 3% CVSS 7.3
HIGH This Week

HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Haproxy
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Mediawiki +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.4.30 through 2.4.55. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling +3
NVD
EPSS 84% CVSS 9.8
CRITICAL Act Now

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Authentication Bypass +1
NVD
EPSS 5% CVSS 9.1
CRITICAL Act Now

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Authentication Bypass Haproxy +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Request Smuggling Dell +3
NVD
EPSS 3% CVSS 6.5
MEDIUM POC This Month

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Node Js +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling Varnish Cache +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Tomcat Request Smuggling +1
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Go
NVD
EPSS 45% CVSS 5.4
MEDIUM This Month

Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ivanti Request Smuggling XSS +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Quarkus
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

dproxy-nexgen (aka dproxy nexgen) re-uses the DNS transaction id (TXID) value from client queries, which allows attackers (able to send queries to the resolver) to conduct DNS cache-poisoning attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling Dproxy Nexgen
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Request Smuggling Go
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A vulnerability in the VPN web client services component of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Cisco XSS +2
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks.0.0 to 9.1.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling +3
NVD
EPSS 69% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +6
NVD
EPSS 81% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +4
NVD
EPSS 42% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +6
NVD
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

HTTP::Daemon is a simple http server class written in perl. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Apache Nginx +2
NVD GitHub
EPSS 19% CVSS 7.5
HIGH This Week

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Request Smuggling +3
NVD
EPSS 8% CVSS 9.8
CRITICAL PATCH Act Now

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Werkzeug
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

A flaw was found in the original fix for the netty-codec-http CVE-2021-21409, where the OpenShift Logging openshift-logging/elasticsearch6-rhel8 container was incomplete. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Origin Aggregated Logging
NVD GitHub
EPSS 3% CVSS 8.1
HIGH PATCH This Week

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Python Request Smuggling +4
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Puma +2
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Mitmproxy
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Waitress is a Web Server Gateway Interface server for Python 2 and 3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Python Request Smuggling +2
NVD GitHub
EPSS 28% CVSS 9.8
CRITICAL PATCH Act Now

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Apache Request Smuggling +7
NVD
EPSS 5% CVSS 7.5
HIGH This Week

An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling D-Link +1
NVD VulDB
EPSS 3% CVSS 7.5
HIGH This Week

A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP-Link AX10v1 before V1_211117 allows a remote unauthenticated attacker to send a specially crafted HTTP request and receive a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

TP-Link Request Smuggling Information Disclosure +1
NVD VulDB
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Netty +17
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

An HTTP request smuggling attack in TP-Link AX10v1 before v1_211117 allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Smuggling TP-Link +1
NVD VulDB
EPSS 3% CVSS 7.5
HIGH POC This Week

M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Denial Of Service M Files Web
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling PHP Information Disclosure +1
NVD GitHub
EPSS 5% CVSS 7.5
HIGH This Week

An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S),. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Gt Ax11000 Firmware +17
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.0.1, v2.3.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Fabric
NVD GitHub
EPSS 3% CVSS 6.5
MEDIUM POC PATCH This Month

The parser in accepts requests with a space (SP) right after the header name before the colon. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Llhttp +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Belledonne Belle-sip before 5.0.20 can crash applications such as Linphone via an invalid From header (request URI without a parameter) in an unauthenticated SIP message, a different issue than. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Denial Of Service Belle Sip
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

The parse function in llhttp < 2.1.4 and < 6.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Llhttp +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Request Smuggling Information Disclosure +2
NVD
EPSS 1% CVSS 3.7
LOW PATCH Monitor

Puma is a HTTP 1.1 server for Ruby/Rack applications. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Apache Information Disclosure +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

An issue was discovered in zeek version 4.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Information Disclosure Zeek
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Pingaccess
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Mitmproxy
NVD GitHub
EPSS 3% CVSS 9.4
CRITICAL POC Act Now

SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Request Smuggling SAP +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerability may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Wha Gw F2D2 0 As Z2 Eth Firmware +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Belledonne Belle-sip before 4.5.20, as used in Linphone and other products, can crash via an invalid From header in a SIP message. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Denial Of Service Belle Sip
NVD GitHub
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy