CVE-2026-40561

Published: Mag 03, 2026 Last Modified: Mag 04, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,3
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none

Description

AI Translation Available

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Starlet incorrectly prioritizes 'Content-Length' over 'Transfer-Encoding: chunked' when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0001
Percentile
0,0th
Updated

EPSS Score Trend (Last 2 Days)

444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Non-Repudiation Access Control
Potential Impacts:
Unexpected State Hide Activities Bypass Protection Mechanism
Applicable Platforms
Technologies: Web Based, Web Server
View CWE Details
https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e…
https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2…
http://www.openwall.com/lists/oss-security/2026/05/03/1
http://www.openwall.com/lists/oss-security/2026/05/03/1