🔐 CVE Alert

CVE-2026-54399

HIGH 7.5

Apache HttpComponents Core: Unbounded HTTP Header/Line Length in Default Configuration

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length

CWE CWE-400
Vendor apache software foundation
Product apache httpcomponents core
Published Jul 1, 2026
Last Updated Jul 1, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache httpcomponents core

Be the first to know when new high vulnerabilities affecting apache software foundation apache httpcomponents core are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache HttpComponents Core
5.5-alpha ≤ 5.5-beta1 5.0-alpha ≤ 5.4.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗
lists.apache.org: https://lists.apache.org/thread/zmxh1pl2zohov5ntdh4lt85gfrlchgpy openwall.com: http://www.openwall.com/lists/oss-security/2026/07/01/4

Credits

Henry Huang <[email protected]>