CVE-2026-26365: Incorrect processing of “Connection: Transfer-Encoding”

...

SUSE CVE-2026-1760

A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests,...

CVE-2026-1760

A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests,...

AZL-77618 CVE-2026-1760 affecting package libsoup 3.0.4-12

A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests,...

CVE-2026-1760

A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests,...

UBUNTU-CVE-2026-1760

A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests,...

EUVD-2026-5105

A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests,...

CVE-2026-1760

CVE-2026-1760 – SoupServer HTTP request smuggling . A flaw in SoupServer allows a remote unauthenticated attacker to smuggle additional requests over a persistent connection by exploiting combined Transfer-Encoding: chunked and Connection: keep-alive handling, potentially causing DoS. The vulnera...

CVE-2026-1760

A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests,...

Linux Distros Unpatched Vulnerability : CVE-2026-1760

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding:...

CVE-2025-63649

An out-of-bounds read in the httpparsertransferencodingchunked function mkserver/mkhttpparser.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted POST request to the server...

CVE-2025-63649

An out-of-bounds read in the httpparsertransferencodingchunked function mkserver/mkhttpparser.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted POST request to the server...

zeek -- potential DoS vulnerability

Tim Wojtulewicz of Corelight reports: Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or Content-Length headers set in MIME entities within HTTP bodies and change the analyzer behavior...

CVE-2025-63649

An out-of-bounds read in the httpparsertransferencodingchunked function mkserver/mkhttpparser.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted POST request to the server...

CVE-2025-63649

An out-of-bounds read in the httpparsertransferencodingchunked function mkserver/mkhttpparser.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted POST request to the server...

Monkey Server security vulnerabilities

Monkey Server is an open-source HTTP server developed by Monkey I/O. There is a security vulnerability in Monkey Server, which stems from out-of-bounds read accesses in the http parser-transferencodingchunked function. This vulnerability could lead to denial-of-service attacks...

CVE-2025-63649

CVE-2025-63649 affects monkey (mk_server/mk_http_parser.c) due to an out-of-bounds read in http_parser_transfer_encoding_chunked following commit f37e984. This can allow a remote attacker to trigger a Denial of Service by sending a crafted POST request to the server. Connected documents corrobora...

EUVD-2025-206530

An out-of-bounds read in the httpparsertransferencodingchunked function mkserver/mkhttpparser.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted POST request to the server...

📄 Lighttpd 1.4.66 Resource Leak Denial of Service

Lighttpd versions 1.4.56 through 1.4.66 has a resource exhaustion vulnerability affecting gateway backends such as FastCGI. When handling an HTTP/1.1 request with chunked transfer encoding and request-body streaming enabled, lighttpd mishandles an anomalous client disconnect RDHUP / half-closed T...

MiracleLinux 9 : nodejs-nodemon-2.0.19-1.el9, nodejs-16.16.0-1.el9 (AXSA:2022-4073:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-4073:01 advisory. nodejs-ini: Prototype pollution via malicious INI file CVE-2020-7788 nodejs-glob-parent: Regular expression denial of service CVE-2020-28469...