CVE-2026-40562
Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
8th
Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
| CWE | CWE-444 |
| Vendor | kazeburo |
| Product | gazelle |
| Published | May 6, 2026 |
| Last Updated | May 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for kazeburo gazelle
Be the first to know when new high vulnerabilities affecting kazeburo gazelle are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
KAZEBURO / Gazelle
0 โค 0.49
References
datatracker.ietf.org: https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 security.metacpan.org: https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch metacpan.org: https://metacpan.org/release/KAZEBURO/Gazelle-0.50/changes openwall.com: http://www.openwall.com/lists/oss-security/2026/05/06/7
Credits
CPANSec