CVE-2026-55202

Source
https://cve.org/CVERecord?id=CVE-2026-55202
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55202.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55202
Downstream
Related
Published
2026-06-17T19:13:45.383Z
Modified
2026-07-08T08:12:42.001287928Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Tinyproxy - Stathost Detection Bypass via Host Header Manipulation
Details

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55202.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-290"
    ]
}
References

Affected packages

Git / github.com/tinyproxy/tinyproxy

Affected ranges

Type
GIT
Repo
https://github.com/tinyproxy/tinyproxy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.3"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.10.0
1.11.0
1.11.0-rc1
1.11.1
1.11.2
1.11.3
1.7.1
1.8.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55202.json"