CVE-2026-34441

Published: Mar 31, 2026

Modified: Apr 1, 2026

PUBLISHED

CVSS v3.1

4.8

MEDIUM

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.

Vendor	Product	Versions
yhirose	cpp-httplib	affected `< 0.40.0`

Weaknesses (CWE)

CWE-444

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-jv63-rm9j-6jwc

x_refsource_CONFIRM

https://github.com/yhirose/cpp-httplib/releases/tag/v0.40.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-34441

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References