CVE-2026-13474

HIGH

NetScaler - Denial of Service via Malformed HTTP/2 Requests

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-13474. PoCs published by derekpreston81.

AI-analyzed exploit summary This repository contains a Python script that scans NetScaler configuration files for preconditions of specific CVEs, including CVE-2026-13474. It does not exploit the vulnerability but checks for configurations that may indicate vulnerability.

Description

Denial of service via malformed HTTP/2 requests in NetScaler ADC and NetScaler Gateway if HTTP/2 is enabled in HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler

Exploits (1)

github SCANNER 1 stars
by derekpreston81 · pythonpoc
https://github.com/derekpreston81/CVE_ADC_IOC_2026

This repository contains a Python script that scans NetScaler configuration files for preconditions of specific CVEs, including CVE-2026-13474. It does not exploit the vulnerability but checks for configurations that may indicate vulnerability.

Classification
Scanner 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: NetScaler ADC
No auth needed
Prerequisites: access to NetScaler configuration file or SSH credentials
mistral-large-3 · analyzed Jul 01, 2026 Full analysis →

Scores

CVSS v3 7.5
EPSS 0.0044
EPSS Percentile 35.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-401
Status published
Products (10)
citrix/netscaler_application_delivery_controller 14.1-66.68
citrix/netscaler_application_delivery_controller < 13.1-37.272 (2 CPE variants)
citrix/netscaler_application_delivery_controller 13.1 - 13.1-63.18
citrix/netscaler_gateway 13.1 - 13.1-63.18
NetScaler/ADC 13.1 - 63.18
NetScaler/ADC 13.1 FIPS and NDcPP - 37.272
NetScaler/ADC 14.1 - 72.61
NetScaler/ADC 14.1 FIPS - 72.61
NetScaler/Gateway 13.1 - 63.18
NetScaler/Gateway 14.1 - 72.61
Published Jun 30, 2026
Tracked Since Jun 30, 2026