CVE-2026-45372

9.9 CRITICAL

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library

Published: 2026-05-29 · Last updated: 2026-06-01

Severity and scoring

CVSS: 9.9 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
CWE: CWE-444, CWE-93

Affected products

Vendor	Product
yhirose	cpp-httplib

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45372
[Vendor advisory]https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjxg-64p4-vj4m
[Vendor advisory]https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjxg-64p4-vj4m

Related CVEs

Same vendor

CVE-2026-46527 — cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library (7.5 HIGH)
CVE-2026-45352 — cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library (5.3 MEDIUM)

Same CWE

CVE-2026-50639 — Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections (6.5 MEDIUM)
CVE-2026-50638 — Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections
CVE-2026-50637 — Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections
CVE-2026-41853 — Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks (5.3 MEDIUM)
CVE-2026-49756 — Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via att...