CVE-2026-54399
Apache HttpComponents Core: Unbounded HTTP Header/Line Length in Default Configuration
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length
| CWE | CWE-400 |
| Vendor | apache software foundation |
| Product | apache httpcomponents core |
| Published | Jul 1, 2026 |
| Last Updated | Jul 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for apache software foundation apache httpcomponents core
Be the first to know when new high vulnerabilities affecting apache software foundation apache httpcomponents core are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Apache Software Foundation / Apache HttpComponents Core
5.5-alpha ≤ 5.5-beta1 5.0-alpha ≤ 5.4.2
References
Credits
Henry Huang <[email protected]>