CVE-2026-44974
Parameter smuggling in @hapi/content header parser allows upload-filter bypass via duplicate parameters
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
@hapi/content provided HTTP Content-* headers parsing. Prior to 6.0.2, Content.disposition() retained the last occurrence of each duplicate parameter while Content.type() retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another component in the request-processing chain resolves duplicates the opposite way. This can allow an upload filename allowlist bypass in headers such as Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php". This issue is fixed in version 6.0.2.
| CWE | CWE-436 |
| Vendor | hapijs |
| Product | content |
| Published | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for hapijs content
Be the first to know when new unknown vulnerabilities affecting hapijs content are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
hapijs / content
< 6.0.2