CVE-2026-40561

MEDIUM 5.3

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

1th

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

CWE	CWE-444
Vendor	kazuho
Product	starlet
Published	May 3, 2026
Last Updated	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for kazuho starlet

Be the first to know when new medium vulnerabilities affecting kazuho starlet are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

KAZUHO / Starlet

0 ≤ 0.31

References

NVD ↗ CVE.org ↗ EPSS Data ↗

datatracker.ietf.org: https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 github.com: https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0.patch metacpan.org: https://metacpan.org/release/KAZUHO/Starlet-0.32/changes openwall.com: http://www.openwall.com/lists/oss-security/2026/05/03/1

Credits

CPANSec