CVE-2026-12606 PUBLISHED

Assigner: eclipse
Reserved: 18.06.2026 Published: 14.07.2026 Updated: 14.07.2026

Eclipse Grizzly in versions before 5.0.2, cannot properly parse the trailer section in malformed trailer header's line, which can be leveraged to perform HTTP request smuggling.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.3

Product Status

Vendor Eclipse Foundation
Product Eclipse GlassFish
Versions Default: unaffected
  • affected from 4.0.0 to 4.0.2 (incl.)
  • affected from 5.0.0 to 5.0.2 (excl.)

Credits

  • Sebastiano Sartor finder

References

Problem Types

  • CWE-444: Inconsistent Interpretation of HTTP Requests CWE

Impacts

  • CAPEC-33: HTTP Request Smuggling