{"id":"CVE-2026-55202","summary":"Tinyproxy - Stathost Detection Bypass via Host Header Manipulation","details":"Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.","modified":"2026-07-08T08:12:42.001287928Z","published":"2026-06-17T19:13:45.383Z","related":["openSUSE-SU-2026:11060-1"],"database_specific":{"cwe_ids":["CWE-290"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55202.json","cna_assigner":"VulnCheck"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55202.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55202"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/evil-winrm-path-traversal-in-download-dir-function"},{"type":"REPORT","url":"https://github.com/tinyproxy/tinyproxy/pull/606"},{"type":"FIX","url":"https://github.com/tinyproxy/tinyproxy/commit/09312a185ae25cc486b4ff5987638a7917a48bce"},{"type":"PACKAGE","url":"https://github.com/tinyproxy/tinyproxy"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tinyproxy/tinyproxy","events":[{"introduced":"0"},{"fixed":"baecbf4c3e006fa68ab92f65bbd4138c47ede111"},{"fixed":"09312a185ae25cc486b4ff5987638a7917a48bce"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.11.3"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["1.11.3","1.11.2","1.11.1","1.11.0","1.11.0-rc1","1.10.0","1.8.0","1.7.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55202.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"}]}