CVE-2026-55202

Tinyproxy - Stathost Detection Bypass via Host Header Manipulation

CVSS 8.8 HIGHEPSS 0.3%CWE-290

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.8EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

17 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Productos afectados

tinyproxy · tinyproxy

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/tinyproxy/tinyproxy/commit/09312a185ae25cc486b4ff5987638a7917a48bce https://github.com/tinyproxy/tinyproxy/pull/606 https://www.vulncheck.com/advisories/evil-winrm-path-traversal-in-download-dir-function