CVE-2026-55202

Tinyproxy - Stathost Detection Bypass via Host Header Manipulation

CVSS 8.8 HIGHEPSS 0.3%CWE-290

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

17 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

tinyproxy · tinyproxy

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/tinyproxy/tinyproxy/commit/09312a185ae25cc486b4ff5987638a7917a48bce https://github.com/tinyproxy/tinyproxy/pull/606 https://www.vulncheck.com/advisories/evil-winrm-path-traversal-in-download-dir-function