Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
CVE-2026-45372: cpp-httplib: Uncontrolled Data in Headers
CVE-2026-45372
Summary
A bug in cpp-httplib's server allowed malicious headers to be processed incorrectly, potentially leading to security issues. This vulnerability affects users of cpp-httplib before version 0.44.0. To fix this issue, update to version 0.44.0 or later.
Original title
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header ...
Original description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.
nvd CVSS3.1
9.9
Vulnerability type
CWE-93
CWE-444
Published: 29 May 2026 · Updated: 31 May 2026 · First seen: 29 May 2026