Skip to main content

Varnish Enterprise

4 CVEs product

Monthly

CVE-2026-34475 MEDIUM PATCH This Month

Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12 mishandle HTTP/1.1 URLs with a root path (/) in unchecked req.url scenarios, enabling cache poisoning and authentication bypass attacks. Unauthenticated remote attackers can exploit this with moderate complexity to poison cached content or bypass authentication controls affecting downstream clients. No active exploitation has been confirmed, though the vulnerability carries a 5.4 CVSS score reflecting network accessibility and partial impact to confidentiality and integrity.

Authentication Bypass Varnish Enterprise Vinyl Cache
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-30347 MEDIUM This Month

Varnish Enterprise before 6.0.13r13 allows remote attackers to obtain sensitive information via an out-of-bounds read for range requests on ephemeral MSE4 stevedore objects. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Buffer Overflow Varnish Enterprise
NVD
CVSS 3.1
4.0
EPSS
0.1%
CVE-2025-30346 MEDIUM PATCH This Month

Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Request Smuggling Varnish Enterprise Varnish Cache Red Hat +1
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2023-41104 MEDIUM PATCH This Month

libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access during base64 decoding, leading to both authentication bypass and information. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Information Disclosure Authentication Bypass Varnish Enterprise Vmod Digest
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12 mishandle HTTP/1.1 URLs with a root path (/) in unchecked req.url scenarios, enabling cache poisoning and authentication bypass attacks. Unauthenticated remote attackers can exploit this with moderate complexity to poison cached content or bypass authentication controls affecting downstream clients. No active exploitation has been confirmed, though the vulnerability carries a 5.4 CVSS score reflecting network accessibility and partial impact to confidentiality and integrity.

Authentication Bypass Varnish Enterprise Vinyl Cache
NVD VulDB
EPSS 0% CVSS 4.0
MEDIUM This Month

Varnish Enterprise before 6.0.13r13 allows remote attackers to obtain sensitive information via an out-of-bounds read for range requests on ephemeral MSE4 stevedore objects. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Buffer Overflow Varnish Enterprise
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Request Smuggling Varnish Enterprise +3
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access during base64 decoding, leading to both authentication bypass and information. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Information Disclosure Authentication Bypass +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy