Login Sign Up

CWE-444: CWE-444

84
Total CVEs
27
Critical
35
High
7.7
Avg CVSS

Yearly Trend

2026
11
2025
22
2024
15
2023
12
2022
14

Top Affected Vendors

1 Apache 8
2 Debian 7
3 Fedoraproject 6
4 Haproxy 3
5 Aiohttp 3
6 Oracle 3
7 Sap 3
8 Mitmproxy 2
9 Tp Link 2
10 Varnish Software 2

All CWE-444 CVEs (84)

CVE-2022-22536
10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that allows unauthenticated attackers to prepend maliciou...

Feb 9, 2022
CVE-2025-55315
9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticated attacker to bypass security features by manipul...

Oct 14, 2025
CVE-2024-10264
9.8

CVE-2024-10264 is an HTTP request smuggling vulnerability in netease-youdao/qanything version 1.4.1 that allows attackers to bypass security controls ...

Mar 20, 2025
CVE-2024-27922
9.8

This vulnerability in TOMP Bare Server allows attackers to manipulate HTTP requests through insecure handling in the @tomphttp/bare-server-node packag...

Mar 21, 2024
CVE-2023-27238
9.8

LavaLite CMS v9.0.0 contains a web cache poisoning vulnerability that allows attackers to inject malicious content into web caches. This can lead to u...

May 12, 2023
CVE-2023-29141
9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating the X-Forwarded-For HTTP header. It affects MediaWik...

Mar 31, 2023
CVE-2023-25690
9.8

This CVE describes an HTTP request smuggling vulnerability in Apache HTTP Server when mod_proxy is configured with certain RewriteRule or ProxyPassMat...

Mar 7, 2023
CVE-2022-29361
9.8

CVE-2022-29361 is an HTTP request smuggling vulnerability in Pallets Werkzeug v2.1.0 and below that allows attackers to bypass security controls by se...

May 25, 2022
CVE-2022-24766
9.8

CVE-2022-24766 is an HTTP request smuggling vulnerability in mitmproxy that allows malicious clients or servers to bypass security controls. Attackers...

Mar 21, 2022
CVE-2022-22720
9.8

Apache HTTP Server versions 2.4.52 and earlier contain a vulnerability where the server fails to properly close inbound connections when encountering ...

Mar 14, 2022
CVE-2022-22532
9.8

CVE-2022-22532 is a critical memory corruption vulnerability in SAP NetWeaver Application Server Java that allows unauthenticated attackers to execute...

Feb 9, 2022
CVE-2021-45468
9.8

This vulnerability allows remote attackers to bypass Imperva Web Application Firewall security controls by using gzip Content-Encoding in HTTP POST re...

Jan 14, 2022
CVE-2023-48365
9.6

CVE-2023-48365 is an unauthenticated remote code execution vulnerability in Qlik Sense Enterprise for Windows. Attackers can exploit improper HTTP hea...

Nov 15, 2023
CVE-2023-41265
9.6

CVE-2023-41265 is an HTTP request tunneling vulnerability in Qlik Sense Enterprise for Windows that allows remote attackers to bypass security control...

Aug 29, 2023
CVE-2023-46846
9.3

CVE-2023-46846 is an HTTP request smuggling vulnerability in Squid proxy due to lenient chunked decoder handling. It allows attackers to bypass securi...

Nov 3, 2023
CVE-2025-12642
9.1

CVE-2025-12642 is an HTTP header smuggling vulnerability in lighttpd 1.4.80 where trailer fields are incorrectly merged into headers after HTTP reques...

Nov 3, 2025
CVE-2025-58068
9.1

Eventlet versions before 0.40.3 are vulnerable to HTTP request smuggling due to improper handling of HTTP trailer sections. This allows attackers to b...

Aug 29, 2025
CVE-2024-56523
9.1

This vulnerability allows remote attackers to bypass Radware Cloud WAF filters by sending HTTP GET requests with random data in the request body. Atta...

May 12, 2025
CVE-2025-43859
9.1

CVE-2025-43859 is an HTTP request smuggling vulnerability in the h11 Python library's parsing of chunked transfer encoding. This allows attackers to b...

Apr 24, 2025
CVE-2024-29643
9.1

This vulnerability allows attackers to perform Host header injection in Croogo v3.0.2 via the feed.rss component. Attackers can manipulate HTTP Host h...

Apr 18, 2025
CVE-2023-29476
9.1

Menlo On-Premise Appliance versions before 2.88 have a web policy enforcement vulnerability where intentionally malformed client requests may bypass s...

Dec 14, 2024
CVE-2024-27185
9.1

This vulnerability in Joomla's pagination class allows attackers to inject arbitrary parameters into pagination links, which can poison caching system...

Aug 20, 2024
CVE-2023-33934
9.1

CVE-2023-33934 is an improper input validation vulnerability in Apache Traffic Server that could allow remote attackers to execute arbitrary code or c...

Aug 9, 2023
CVE-2023-25725
9.1

CVE-2023-25725 is an HTTP request smuggling vulnerability in HAProxy that allows attackers to bypass access controls by sending specially crafted HTTP...

Feb 14, 2023
CVE-2021-46825
9.1

This HTTP desync vulnerability in Symantec ASG and ProxySG allows remote unauthenticated attackers to send crafted HTTP requests through the proxy, ca...

Jul 7, 2022
CVE-2022-24790
9.1

CVE-2022-24790 is an HTTP request smuggling vulnerability in Puma HTTP server that allows attackers to bypass front-end proxies and send malicious req...

Mar 30, 2022
CVE-2022-23959
9.1

This CVE describes an HTTP request smuggling vulnerability in Varnish Cache and Varnish Enterprise. Attackers can exploit this to bypass security cont...

Jan 26, 2022
CVE-2026-23527
8.9

CVE-2026-23527 is a critical HTTP request smuggling vulnerability in the H3 framework where case-sensitive header validation allows attackers to bypas...

Jan 15, 2026
CVE-2025-41235
8.6

Spring Cloud Gateway Server improperly forwards X-Forwarded-For and Forwarded headers from untrusted proxies, allowing attackers to spoof client IP ad...

May 30, 2025
CVE-2023-33987
8.6

An unauthenticated attacker can send specially crafted requests to SAP Web Dispatcher, which may cause back-end servers to confuse message boundaries ...

Jul 11, 2023
CVE-2022-22690
8.6

CVE-2022-22690 allows attackers to overwrite the UmbracoApplicationUrl configuration in Umbraco CMS, enabling them to redirect password reset and user...

Jan 18, 2022
CVE-2024-41671
8.3

This vulnerability in Twisted's HTTP server allows pipelined HTTP requests to be processed out-of-order, potentially exposing sensitive information fr...

Jul 29, 2024
CVE-2025-14523
8.2

This vulnerability in libsoup's HTTP header handling allows attackers to send duplicate Host headers, creating a mismatch between proxy routing and ba...

Dec 11, 2025
CVE-2022-24801
8.1

This vulnerability in Twisted's HTTP 1.1 server allows HTTP request smuggling due to non-RFC-compliant parsing of HTTP requests. Attackers can exploit...

Apr 4, 2022
CVE-2021-29991
8.1

Firefox and Thunderbird incorrectly accepted newline characters in HTTP/3 headers, interpreting them as separate headers. This allows attackers to per...

Nov 3, 2021
CVE-2021-39214
8.1

CVE-2021-39214 is an HTTP request smuggling vulnerability in mitmproxy that allows malicious clients or servers to bypass security controls by smuggli...

Sep 16, 2021
CVE-2025-53643
7.5

CVE-2025-53643 is a request smuggling vulnerability in AIOHTTP's pure Python parser that fails to properly parse HTTP trailer sections. This allows at...

Jul 14, 2025
CVE-2025-49826
7.5

A cache poisoning vulnerability in Next.js versions 15.0.4-canary.51 through 15.1.7 allows HTTP 204 responses to be cached for static pages. When expl...

Jul 3, 2025
CVE-2024-53868
7.5

Apache Traffic Server is vulnerable to HTTP request smuggling when processing malformed chunked messages. This allows attackers to bypass security con...

Apr 3, 2025
CVE-2025-31137
7.5

This vulnerability allows attackers to spoof URLs in incoming requests by manipulating Host or X-Forwarded-Host headers with URL pathnames in the port...

Apr 1, 2025
CVE-2024-6827
7.5

CVE-2024-6827 is a HTTP request smuggling vulnerability in Gunicorn 21.2.0 where improper Transfer-Encoding header validation allows attackers to bypa...

Mar 20, 2025
CVE-2024-52530
7.5

This vulnerability in GNOME libsoup allows HTTP request smuggling by ignoring null characters at the end of HTTP header names. Attackers can craft mal...

Nov 11, 2024
CVE-2024-8912
7.5

An HTTP Request Smuggling vulnerability in Looker allows attackers to intercept HTTP responses intended for legitimate users. This affects customer-ho...

Oct 11, 2024
CVE-2023-38522
7.5

Apache Traffic Server improperly validates HTTP field names, allowing characters that violate HTTP specifications. This enables attackers to craft mal...

Jul 26, 2024
CVE-2024-21088
7.5

This vulnerability in Oracle Production Scheduling's Import Utility allows unauthenticated attackers with network access via HTTP to compromise data i...

Apr 16, 2024
CVE-2024-1135
7.5

Gunicorn web servers are vulnerable to HTTP Request Smuggling attacks due to improper validation of Transfer-Encoding headers. Attackers can craft req...

Apr 16, 2024
CVE-2022-26377
7.5

This HTTP request smuggling vulnerability in Apache HTTP Server's mod_proxy_ajp module allows attackers to bypass security controls and smuggle malici...

Jun 9, 2022
CVE-2021-41451
7.5

A cache poisoning vulnerability in TP-Link Archer AX10 v1 routers allows remote attackers to manipulate HTTP responses by sending specially crafted re...

Dec 17, 2021
CVE-2021-41450
7.5

CVE-2021-41450 is an HTTP request smuggling vulnerability in TP-Link Archer AX10 v1 routers that allows remote attackers to send specially crafted HTT...

Dec 8, 2021
CVE-2021-37253
7.5

This vulnerability allows denial of service attacks against M-Files Web servers by sending HTTP requests with overlapping Range or Request-Range heade...

Dec 5, 2021

About CWE-444 (CWE-444)

Our database tracks 84 CVEs classified as CWE-444, with 27 rated critical and 35 rated high severity. The average CVSS score for CWE-444 vulnerabilities is 7.7.

External reference: View CWE-444 on MITRE CWE →

Monitor CWE-444 Vulnerabilities

Get alerted when new CWE-444 CVEs affect your infrastructure.

Start Monitoring Free