CVE-2026-28434
cpp-httplib's default exception handler leaks e.what() to clients via EXCEPTION_WHAT response header
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0.
| CWE | CWE-200 |
| Vendor | yhirose |
| Product | cpp-httplib |
| Published | Mar 4, 2026 |
| Last Updated | Mar 4, 2026 |
Get instant alerts for yhirose cpp-httplib
Be the first to know when new medium vulnerabilities affecting yhirose cpp-httplib are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N