Host Header Injection Vulnerability in Tinyproxy by Tinyproxy Team
CVE-2026-55202

8.8HIGH

Key Information:

Vendor

Tinyproxy

Status
Tinyproxy
Vendor
CVE Published:
17 June 2026

What is CVE-2026-55202?

Tinyproxy versions up to 1.11.3 are susceptible to a vulnerability that fails to adequately validate the Host header during stat host detection. This flaw enables unauthenticated attackers to manipulate requests by injecting a custom Host header, allowing access to the statistics page. Furthermore, attackers can bypass detection mechanisms through port manipulation, leading to unauthorized access to sensitive internal statistics or using the proxy to misroute connections. This vulnerability necessitates prompt attention to mitigate potential abuse through transparent proxy connections that evade existing access controls.

Affected Version(s)

tinyproxy 0 <= 1.11.3

tinyproxy 09312a185ae25cc486b4ff5987638a7917a48bce

References

https://github.com/tinyproxy/tinyproxy/pull/606
issue-tracking
https://github.com/tinyproxy/tinyproxy/commit/09312a185ae...
patch
https://www.vulncheck.com/advisories/evil-winrm-path-trav...
third-party-advisory

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tristan Madani (@TristanInSec)
.