Lucene search
K

73 matches found

NVD
NVD
added 2026/03/05 12:15 a.m.14 views

CVE-2026-2833

An HTTP request smuggling vulnerability CWE-444 was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the...

9.3CVSS0.00666EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.9 views

Pingora 安全漏洞

Pingora is a library open sourced by Cloudflare, used for building fast, reliable, and scalable network services. Prior to version 0.8.0, Pingora had security vulnerabilities. These vulnerabilities stemmed from improper construction of default cache keys, which could lead to cross-tenant data lea...

8.4CVSS6.8AI score0.00394EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.7 views

Pingora 安全漏洞

Pingora is a library open sourced by Cloudflare, used to build fast, reliable, and scalable network services. Prior to Pingora v0.8.0, there were security vulnerabilities. These vulnerabilities stemmed from the use of the HTTP request interleaving technique when handling HTTP/1.1 connection...

9.3CVSS6.8AI score0.00666EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.9 views

Pingora 安全漏洞

Pingora is a library open sourced by Cloudflare, used to build fast, reliable, and scalable network services. Prior to Pingora v0.8.0, there were security vulnerabilities. These vulnerabilities stemmed from the use of HTTP request interception techniques when parsing HTTP/1.0 and Transfer-Encodin...

9.3CVSS6.8AI score0.00707EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/04 11:44 p.m.29 views

CVE-2026-2836 Cache poisoning via insecure-by-default cache key

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

8.4CVSS0.00394EPSS
Exploits0References1
OSV
OSV
added 2026/03/04 11:44 p.m.4 views

CVE-2026-2836 Cache poisoning via insecure-by-default cache key

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

8.4CVSS6.7AI score0.00394EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/04 11:44 p.m.10 views

CVE-2026-2836

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

8.4CVSS5.8AI score0.00394EPSS
Exploits0References2
CVE
CVE
added 2026/03/04 11:44 p.m.57 views

CVE-2026-2836

Pingora CVE-2026-2836 affects the default cache key construction in Pingora’s alpha proxy caching feature, which uses only the URI path and omits the host header (authority) and other factors. This can enable cross-tenant data leakage and cache poisoning where cached responses may be served to us...

8.4CVSS5.8AI score0.00394EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/04 11:44 p.m.3 views

CVE-2026-2836 Cache poisoning via insecure-by-default cache key

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

8.4CVSS5.7AI score0.00394EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/04 11:32 p.m.7 views

CVE-2026-2835

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

9.3CVSS5.9AI score0.00707EPSS
Exploits0References2
CVE
CVE
added 2026/03/04 11:32 p.m.85 views

CVE-2026-2835

Pingora contains an HTTP Request Smuggling (CWE-444) flaw in its parsing of HTTP/1.0 bodies and multiple Transfer-Encoding values, which can desynchronize request framing and allow a frontend proxy to bypass ACLs, poison caches, and enable cross-user attacks when Fronting certain backends. Cloudf...

9.3CVSS5.9AI score0.00707EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/03/04 11:32 p.m.4 views

CVE-2026-2835 HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

9.3CVSS6.7AI score0.00707EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/04 11:32 p.m.1 views

CVE-2026-2835 HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

9.3CVSS5.7AI score0.00707EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/04 11:20 p.m.40 views

CVE-2026-2833 HTTP Request Smuggling via Premature Upgrade

An HTTP request smuggling vulnerability CWE-444 was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the...

9.3CVSS0.00666EPSS
Exploits0References1
OSV
OSV
added 2026/03/04 11:20 p.m.5 views

CVE-2026-2833 HTTP Request Smuggling via Premature Upgrade

An HTTP request smuggling vulnerability CWE-444 was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the...

9.3CVSS6.7AI score0.00666EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/04 11:20 p.m.4 views

CVE-2026-2833 HTTP Request Smuggling via Premature Upgrade

An HTTP request smuggling vulnerability CWE-444 was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the...

9.3CVSS5.7AI score0.00666EPSS
Exploits0References1
CVE
CVE
added 2026/03/04 11:20 p.m.33 views

CVE-2026-2833

CVE-2026-2833 / Pingora HTTP request smuggling via premature Upgrade . Affected product: Pingora proxy in standalone deployments. Vulnerability: HTTP/1.1 upgrade handling allows forwarding the bytes after an Upgrade header to the backend before the backend accepts the upgrade (CWE-444), potential...

9.3CVSS5.9AI score0.00666EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/04 11:20 p.m.6 views

CVE-2026-2833

An HTTP request smuggling vulnerability CWE-444 was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the...

9.3CVSS5.9AI score0.00666EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/03/04 12:0 p.m.5 views

bws-web-server (>=0.1.0 <=0.1.1), pingora (>=0.1.0 <=0.6.0) +3 more potentially affected by CVE-2026-2836 via pingora-cache (>=0.1.1 <=0.6.0)

pingora-cache CARGO version =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.6.0 - revoke-gateway =0.3.0 - static-files-module =0.1.0 Source cves: CVE-2026-2836 Source advisory: OSV:RUSTSEC-2026-0035...

8.4CVSS6.7AI score0.00394EPSS
Exploits0
OSV
OSV
added 2026/03/04 12:0 p.m.5 views

RUSTSEC-2026-0033 HTTP Request Smuggling via Premature Upgrade

Pingora versions prior to 0.8.0 would immediately forward bytes following a request with an Upgrade header to the backend, without waiting for a 101 Switching Protocols response. This allows an attacker to smuggle requests to the backend and bypass proxy-level security controls. This vulnerabilit...

9.3CVSS6AI score0.00666EPSS
Exploits0References4
Rows per page
Query Builder