Undertow

This hub aggregates every CVE we track for Undertow, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Undertow.

• CVE-2026-28369Undertow: undertow: request smuggling via malformed http request headers8.7Mar 27, 2026
• CVE-2026-28367Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator8.7Mar 27, 2026
• CVE-2026-28368Undertow: undertow: request smuggling via inconsistent header parsing8.7Mar 27, 2026
• CVE-2026-3260Undertow: undertow: denial of service due to premature multipart/form-data parsing in get requests5.9Mar 24, 2026
• CVE-2025-12543Undertow-core: undertow http server fails to reject malformed host headers leading to potential cache poisoning and ssrf9.6Jan 7, 2026
• CVE-2025-9784Undertow: undertow madeyoureset http/2 ddos vulnerability7.5Sep 2, 2025
• CVE-2023-4639Undertow: cookie smuggling/spoofing7.4Nov 17, 2024
• CVE-2023-1973Undertow: unrestricted request storage leads to memory exhaustion7.5Nov 7, 2024
• CVE-2024-7885Undertow: improper state management in proxy protocol parsing causes information leakage7.5Aug 21, 2024
• CVE-2024-5971Undertow: response write hangs in case of java 17 tlsv1.3 newsessionticket7.5Jul 8, 2024
• CVE-2024-6162Undertow: url-encoded request path information can be broken on ajp-listener7.5Jun 20, 2024
• CVE-2024-1459Undertow: directory traversal vulnerability5.3Feb 12, 2024
• CVE-2023-5379Undertow: ajp request closes connection exceeding maxrequestsize7.5Dec 12, 2023
• CVE-2023-3223Undertow: outofmemoryerror due to @multipartconfig handling7.5Sep 27, 2023
• CVE-2023-1108Undertow: infinite loop in sslconduit during close7.5Sep 14, 2023