DEBIAN-CVE-2026-45372

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2026-45372

Published: 29 May 2026, 20:16

Last modified:30 May 2026, 10:00

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.9 CRITICAL

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

29 May 2026, 20:16

Published

Vulnerability first disclosed

30 May 2026, 10:00

Last Modified

Vulnerability information updated

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.

CVSS Metrics

v3.1•CRITICAL•Score: 9.9CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

Affected Systems

debian•cpp-httplib
all | all | all

References (1)

https://security-tracker.debian.org/tracker/CVE-2026-45372