CVE-2026-2332 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-2332 PUBLISHED CVSS 7.400000095367432 HIGH

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Risk Scores

CVSS v3.1

7.400000095367432

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products

Vendor	Product	Versions
Eclipse Foundation	Eclipse Jetty	12.1.0, 12.0.0, 11.0.0

Timeline

Apr 14, 2026 CVE Published
Apr 14, 2026 PoC Published
Apr 15, 2026 Security Advisory

References

Open in Interactive Console →