VYPR
Medium severity5.4NVD Advisory· Published Oct 26, 2022· Updated Jun 17, 2026

CVE-2022-39348

CVE-2022-39348

Description

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
TwistedPyPI
>= 0.9.4, < 22.10.0rc122.10.0rc1

Affected products

14

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.