CVE Catalog

CVE-2026-55202

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

25th percentile — higher than 25% of all known CVEs

Summary

Tinyproxy through 1.11.3 fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation.

Risk Assessment

Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections, potentially circumventing access controls.

Recommendation

It is recommended to update Tinyproxy to version 1.11.4 or later to fix this vulnerability and implement additional security measures for accessing statistics.

Original NVD description (English source)

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS