CVE-2026-49840

CVE-2026-49840 affects FreeSWITCH libesl before version 1.11.1. The flaw occurs in esl_recv_event(): Content-Length is parsed with atol() and the result is passed to malloc(len + 1) without sign or magnitude checks, allowing a pre-authentication, remote attacker to corrupt the heap or crash the p...

CVE-2026-49753

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.contentlengthheader/1 in...

CVE-2026-49753

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.contentlengthheader/1 in...

CVE-2026-49753 HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.contentlengthheader/1 in...

EUVD-2026-33941

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.contentlengthheader/1 in...

EEF-CVE-2026-49753 HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing

Summary Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.contentlengthheader/1 i...

CVE-2026-49753

Summary of the vulnerability : CVE-2026-49753 affects the Elixir Mint HTTP/1 client. The root cause is a lenient Content-Length parser in Mint.HTTP1.Parse.content_length_header/1, which accepts a leading + sign (e.g., +0, +123) despite RFC 7230 requiring unsigned digits only. When the same Mint c...

PT-2026-45786

Summary Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content length header/1...

OESA-2026-1639 cpp-httplib security update

A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include httplib.h file in your code! Security Fixes: cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.1, when a cpp-httplib client uses the...

OESA-2026-1637 cpp-httplib security update

A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include httplib.h file in your code! Security Fixes: cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.1, when a cpp-httplib client uses the...

EEF-CVE-2026-23941 Request smuggling via first-wins Content-Length parsing in inets httpd

Summary Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Erlang OTP inets httpd module allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/httpserver/httpdrequest.erl and program routines httpdrequest:parseheaders/...

CVE-2026-23941

CVE-2026-23941 - Erlang OTP inets httpd HTTP Request Smuggling Technical details in connected documents describe a vulnerability in Erlang OTP’s inets httpd module (httpd_request.erl, httpd_request:parse_headers/7) where the server does not reject or normalize duplicate Content-Length headers. Th...

CVE-2020-7658

meinheld prior to 1.0.2 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing...

CVE-2023-53878

Member Login Script 3.3 contains a client-side desynchronization vulnerability that allows attackers to manipulate HTTP request handling by exploiting Content-Length header parsing. Attackers can send crafted POST requests with smuggled secondary requests to potentially bypass server-side request...

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.

...

Tesla Wall Connector 安全漏洞

Tesla Wall Connector is a wall charger from Tesla USA. A security vulnerability exists in the Tesla Wall Connector that stems from improper parsing of the HTTP Content-Length header, which could lead to remote code execution...

python-twisted: possible http request smuggling

A flaw was found in python-twisted. This vulnerability occurs due to the parsing of illegal constructs in the twisted.web.http module. The illegal constructs include '+/-' in the Content-Length header, '\n and \t' etc. Non-conformant parsing leads to a desync if requests pass through multiple HTT...

HTTP Request Smuggling

Overview agoo is a fast HTTP server supporting rack. Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct...

meinheld environment error vulnerability

meinheld is a WSGI Web Server Gateway Interface asynchronous Web server from the Japanese software developer Yutaka Matsubara. An environment error vulnerability exists in meinheld because the program does not properly parse the Content-Length and Transfer Encoding headers. An attacker could...

CoDeSys 3.4 - POST Null Pointer Content-Length Parsing Remote Denial of Service

CoDeSys 3.4 - POST Null Pointer Content-Length Parsing Remote Denial of Service source: https://www.securityfocus.com/bid/50854/info CoDeSys is prone to multiple denial-of-service vulnerabilities. An attacker can exploit these issues to crash the application and deny service to legitimate users...