← voltar
CVE-2026-55202

Tinyproxy - Stathost Detection Bypass via Host Header Manipulation

CVSS 8.8 HIGHEPSS 0.3%CWE-290
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.8EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch referenciado
Ciclo de vida
17 jun 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Produtos afetados
tinyproxy · tinyproxy

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/tinyproxy/tinyproxy/commit/09312a185ae25cc486b4ff5987638a7917a48bcehttps://github.com/tinyproxy/tinyproxy/pull/606https://www.vulncheck.com/advisories/evil-winrm-path-traversal-in-download-dir-function