CVE-2026-46527

Published: Mag 29, 2026 Last Modified: Mag 29, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,7

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector—undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0.

476

NULL Pointer Dereference

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Integrity Confidentiality

Potential Impacts:

Dos: Crash, Exit, Or Restart Execute Unauthorized Code Or Commands Read Memory Modify Memory

Applicable Platforms

Languages: C, C++, Java, C#, Go

Likelihood of Exploit: Medium

View CWE Details

https://github.com/yhirose/cpp-httplib/security/advisories/…

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-hg3g-vrg8-578g

CVE-2026-46527

Description

NULL Pointer Dereference

Common Consequences

Applicable Platforms

Iscriviti alla newsletter