CVE-2026-40562

UNKNOWN 0.0

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

CWE	CWE-444
Vendor	kazeburo
Product	gazelle
Published	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for kazeburo gazelle

Be the first to know when new unknown vulnerabilities affecting kazeburo gazelle are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

KAZEBURO / Gazelle

0 ≤ 0.49

References

NVD ↗ CVE.org ↗ EPSS Data ↗

datatracker.ietf.org: https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 security.metacpan.org: https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch

Credits

CPANSec