VDB
CVE-2026-2332
CVE-2026-2332
PUBLISHED
CVSS 7.400000095367432 HIGH
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
EPSS 0.02% · 6.0th percentile
Risk Scores
CVSS 3.1
7.400000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.02%
6.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse Foundation | Eclipse Jetty | 12.1.0, 12.0.0, 11.0.0 |
Exploit Intelligence
- https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf (nist-nvd)
- CIRCL seen: CVE-2026-2332 (circl-sighting)
- https://gitlab.eclipse.org/security/cve-assignment/-/issues/89 (circl)
- jetty-javadoc_advisory.json (github-poc)
- suppression.xml (github-poc)
- suppression.xml (github-poc)
- suppression.xml (github-poc)
- suppression.xml (github-poc)
- suppression.xml (github-poc)
- jetty-jmx_advisory.json (github-poc)
…and 29 more exploits
Timeline
- Apr 14, 2026 CVE Published
- Apr 14, 2026 PoC Published
- Apr 15, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 CVE Updated
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
References
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37405 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37404 advisory
- https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf third-party-advisory
- https://gitlab.eclipse.org/security/cve-assignment/-/issues/89 issue
- https://jira.mongodb.org/browse/SERVER-122032 advisory
- https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-8.0.23 advisory
- https://jira.mongodb.org/browse/SERVER-120668 advisory
- https://jira.mongodb.org/browse/SERVER-122449 advisory
- https://jira.mongodb.org/browse/SERVER-126021 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37451 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37445 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37460 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37449 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37450 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37466 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37468 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37444 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37461 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37459 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37446 advisory
…and 7 more