Http

This hub aggregates every CVE we track for Http, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 9 most recently published vulnerabilities affecting Http.

• CVE-2026-3256HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids9.8Mar 28, 2026
• CVE-2026-3255HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function6.5Feb 27, 2026
• CVE-2023-44487The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.KEV7.5Oct 10, 2023
• CVE-2023-26044ReactPHP's HTTP server continues parsing unused multipart parts after reaching limits5.3May 17, 2023
• CVE-2022-36032ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent5.3Sep 6, 2022
• CVE-2019-25009An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness.9.8Dec 31, 2020
• CVE-2020-35669An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HT...6.1Dec 24, 2020
• CVE-2020-25574An issue was discovered in the http crate before 0.1.20 for Rust. An integer overflow in HeaderMap::reserve() could result in denial of service (e.g., an infinite loop).7.5Sep 14, 2020
• CVE-2015-1828The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.5.9Oct 6, 2017