cbcvebase.

Cloudflare Https Github.Com Cloudflare Pingora vulnerabilities

3 known vulnerabilities affecting cloudflare/https_github.com_cloudflare_pingora.

Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1

Vulnerabilities

Page 1 of 1
CVE-2026-2833P2CRITICALCVSS 9.1fixed in 0.8.02026-03-05
CVE-2026-2833 [CRITICAL] CWE-444 CVE-2026-2833: An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connec An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus
nvd
CVE-2026-2835P3CRITICALCVSS 9.1fixed in 0.8.02026-03-05
CVE-2026-2835 [CRITICAL] CWE-444 CVE-2026-2835: An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 an An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desyn
nvd
CVE-2026-2836P3HIGHCVSS 8.1fixed in 0.8.02026-03-05
CVE-2026-2836 [HIGH] CWE-345 CVE-2026-2836: A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache k A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header (authority). Operators relying on the default are vulnerable to cache pois
nvd
Cloudflare Https Github.Com Cloudflare Pingora vulnerabilities | cvebase