CVE Tools

lighttpd

Networking Infrastructureoss-project

26

Cumulative CVEs

15

Monthly snapshots

#26

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting lighttpd.

CVE-2025-12642HTTP Header Smuggling via Trailer Merge9.1Nov 3, 2025
CVE-2018-25103Use-after-free vulnerabilities in lighttpd <= 1.4.505.3Jun 17, 2024
CVE-2022-41556A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is rel...7.5Oct 6, 2022
CVE-2022-37797In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the ...7.5Sep 12, 2022
CVE-2022-30780Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that di...7.5Jun 11, 2022
CVE-2022-22707In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial o...5.9Jan 6, 2022
CVE-2019-11072lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious H...9.8Apr 10, 2019
CVE-2018-19052An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mo...7.5Nov 7, 2018
CVE-2015-3200mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a...7.5Jun 9, 2015
CVE-2014-2324Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name,...5.0Mar 14, 2014
CVE-2014-2323SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.9.8Mar 14, 2014
CVE-2013-4560Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory f...5.0Nov 19, 2013
CVE-2013-4559lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote atta...7.6Nov 19, 2013
CVE-2013-4508lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or ob...7.5Nov 8, 2013
CVE-2013-1427The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP c...1.9Mar 21, 2013