GHSA-f33v-8wrm-6584HighCVSS 8.2
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header...
🔗 CVE IDs covered (1)
📋 Description
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2026-55202
- https://github.com/tinyproxy/tinyproxy/pull/606
- https://github.com/tinyproxy/tinyproxy/commit/09312a185ae25cc486b4ff5987638a7917a48bce
- https://www.vulncheck.com/advisories/evil-winrm-path-traversal-in-download-dir-function
- https://github.com/advisories/GHSA-f33v-8wrm-6584