CVE-2026-55603 is a vulnerability in http-proxy-middleware, a Node.js library used for proxying HTTP requests. The vulnerability affects versions 3.0.4 to 3.0.7 and 4.1.1, where the fixRequestBody() helper function does not properly neutralize CR/LF characters in multipart/form-data requests. This allows an attacker to inject a new form part by including a CR+LF sequence in a request body value or key. As [truncated]
CVE-2026-55602 is a vulnerability in http-proxy-middleware, a node.js http-proxy middleware. The vulnerability allows a crafted Host header to route a request to an unintended backend. The issue exists from version 0.16.0 until 2.0.10, 3.0.6, and 4.1.0. The vulnerability is fixed in versions 2.0.10, 3.0.6, and 4.1.0. A crafted Host header that is only a superstring match for a configured host+path key can [truncated]
