GHSA-f33v-8wrm-6584HighCVSS 8.2

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header...

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

🔗 References (5)