CVE-2026-40560

EPSS 0.49%
Veröffentlicht 28.04.2026 23:46:37
Zuletzt bearbeitet 06.05.2026 16:35:19
Quelle 9b29abf9-4ab0-4765-b253-1875cd
CVE-Watchlists
Login
Unerledigt
Login

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Miyagawa ≫ Starman SwPlatformperl Version < 0.4018

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.49%	0.38

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch

Patch

Third Party Advisory

https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes

Product

Release Notes

https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3

Third Party Advisory

http://www.openwall.com/lists/oss-security/2026/04/29/1

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-40560