Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-444

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Parent: CWE-436 - Interpretation Conflict

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

334 vulnerabilities with CWE-444

CVE-2026-50020 MEDIUM

Netty's HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted

CVE-2026-46342 MEDIUM

Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning

CVE-2026-6338 MEDIUM

HTTP request smuggling in Kong Enteprise Gateway

CVE-2026-41853 MEDIUM

Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux

CVE-2026-44546 LOW

Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing

CVE-2026-50052 LOW

Vinyl Cache - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVE-2026-49753 MEDIUM

HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing

CVE-2026-45372 CRITICAL

cpp-httplib: HTTP header value percent-decoding in server-side `parse_header` enables CRLF injection

CVE-2026-6324 MEDIUM

Libsoup: libsoup: http request smuggling via unsigned to signed conversion error

CVE-2026-47676 MEDIUM

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

CVE-2026-48710 MEDIUM

Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks

CVE-2026-8620 HIGH

IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins

CVE-2026-42585 MEDIUM

Netty: HTTP Request Smuggling due to malformed Transfer-Encoding

CVE-2026-42584 HIGH

Netty: HttpClientCodec response desynchronization

CVE-2026-42581 MEDIUM

Netty: HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

CVE-2026-42580 MEDIUM

Netty: HTTP Request Smuggling due to incorrect chunk size parsing

CVE-2026-41417 MEDIUM

Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()

CVE-2026-40562 HIGH

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence

CVE-2026-40561 MEDIUM

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence

CVE-2026-39805 MEDIUM

CL.CL HTTP request smuggling via duplicate Content-Length in bandit

CVE-2026-40560 HIGH

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence

CVE-2026-41873 CRITICAL

Pony Mail: Admin account takeover via request smuggling

CVE-2026-2708 LOW

Libsoup: libsoup: http request smuggling via duplicate content-length headers

CVE-2026-2332 HIGH

HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

CVE-2026-40175 MEDIUM

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Page 1 of 14 Next

Details

Vulnerabilities 334

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy