VYPR
Medium severity5.3NVD Advisory· Published May 3, 2026· Updated May 7, 2026

CVE-2026-40561

CVE-2026-40561

Description

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Kazuho/Starletreferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:kazuho:starlet:*:*:*:*:*:perl:*:*range: <=0.31
    • (no CPE)range: <=0.31

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.