CVE-2026-55202
HIGHTinyproxy - Stathost Detection Bypass via Host Header Manipulation
Title source: cnaDescription
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.
References (3)
Core 3
Core References
Patch patch
Patch Commit
https://github.com/tinyproxy/tinyproxy/commit/09312a185ae25cc486b4ff5987638a7917a48bce
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/evil-winrm-path-traversal-in-download-dir-function
Scores
CVSS v3
8.2
EPSS
0.0034
EPSS Percentile
25.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Details
CWE
CWE-290
Status
published
Products (2)
tinyproxy/tinyproxy
< 1.11.3
tinyproxy/tinyproxy
09312a185ae25cc486b4ff5987638a7917a48bce
Published
Jun 17, 2026
Tracked Since
Jun 18, 2026