CVE-2026-55202

Summary

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

Affected Software

VendorProductVersion RangeStatus
tinyproxytinyproxy0 <= 1.11.3affected
tinyproxytinyproxy09312a185ae25cc486b4ff5987638a7917a48bceunaffected

Weaknesses

  • CWE-290: Authentication Bypass by Spoofing

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References