CVE-2026-55202

HIGH NVD

CVSS Score 8.2

Severity HIGH

Published Jun 17, 2026

Vendor unknown

Description

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

References

https://github.com/tinyproxy/tinyproxy/commit/09312a185ae25cc486b4ff5987638a7917a48bce
https://github.com/tinyproxy/tinyproxy/pull/606
https://www.vulncheck.com/advisories/evil-winrm-path-traversal-in-download-dir-function