Vulnerability intelligence

CVE-2026-55202

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

CVSS Score

8.8

High

EPSS — Exploit Probability

0.3%

Riskier than 25% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

Patch available

Vendor fix published

NVD entry Vendor patch PoC / advisory

1 article across 1 outlet · first covered Jun 23, 2026 · latest Jun 23, 2026

Coverage timeline

Tinyproxy flaws allow HTTP request smuggling, urge patch now
securityonline.info · Jun 23, 2026