CVE-2026-54388 is a critical vulnerability in Tinyproxy, a small HTTP proxy server. The issue allows remote attackers to desynchronize the proxy and backend parser state by sending requests with multiple Content-Length headers containing different values. This enables attackers to inject arbitrary HTTP requests to the backend, potentially leading to cache poisoning, access control bypass, and request hija [truncated]
CVE-2026-54387 is a critical vulnerability in Tinyproxy, a small HTTP proxy server. The vulnerability occurs when Tinyproxy fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. This allows remote attackers to desynchronize the proxy and backend parser sta [truncated]
