THE Apache Software Foundation has reported two vulnerabilities in the Apache HttpComponents Core: CVE-2026-54399 and CVE-2026-54428, both rated as High severity (CVSS 7.5). They can potentially allow remote denial-of-service attacks through memory exhaustion, but no public exploits have been confirmed. CVE-2026-54399 is related to unbounded HTTP/1.1 headers allowing attackers to send excessive headers, while CVE-2026-54428 pertains to HPACK decoding before SETTINGS ACK which can lead to resource allocation issues.
The affected versions include httpcore5 versions 5.4.2 and earlier, and developers are advised to update to newer builds and enforce strict header limits to mitigate the risks.