CVE-2026-55202

Description

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

How to fix CVE-2026-55202

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Debian/tinyproxy—no fix listed

Is CVE-2026-55202 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-55202.

Affected packages (1)

from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-55202