CVE-2026-55202 | Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to … | CVSS 8.2 HIGH

Description

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

Metadata

CVE ID: CVE-2026-55202
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-16 15:53 UTC
Published: 2026-06-17 19:13 UTC
Last updated: 2026-06-17 19:45 UTC
Primary CWE: CWE-290
Authentication Bypass by Spoofing
Vendor / Product: tinyproxy / tinyproxy
Sources: cve.org · NVD

Severity & Metrics

8.2 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
tinyproxy	tinyproxy	—	0 ≤ 1.11.3, 09312a185ae25cc486b4ff5987638a7917a48bce

Weakness (CWE)

CWE	Source	Description
CWE-290	cna	Authentication Bypass by Spoofing

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.8	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
8.2	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References (3)