CVE-2026-40561

UNKNOWN 0.0

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

CWE	CWE-444
Vendor	kazuho
Product	starlet
Published	May 3, 2026

Stay Ahead of the Next One

Get instant alerts for kazuho starlet

Be the first to know when new unknown vulnerabilities affecting kazuho starlet are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

KAZUHO / Starlet

0 ≤ 0.31

References

NVD ↗ CVE.org ↗ EPSS Data ↗

datatracker.ietf.org: https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 github.com: https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0.patch

Credits

CPANSec