CVE-2026-2708 — Vulnetix

CVE-2026-2708 PUBLISHED CVSS 3.700000047683716 LOW

A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values.

EPSS 0.05% · 16.7th percentile

Risk Scores

CVSS 3.1

3.700000047683716

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Score

0.05%

16.7th percentile

Affected Products

Vendor	Product	Versions
Red Hat	Red Hat Enterprise Linux 7
Red Hat	Red Hat Enterprise Linux 10
Red Hat	Red Hat Enterprise Linux 9
Red Hat	Red Hat Enterprise Linux 6
Red Hat	Red Hat Enterprise Linux 8

Exploit Intelligence

https://access.redhat.com/security/cve/CVE-2026-2708 (circl)
RHBZ#2440743 (circl)
https://gitlab.gnome.org/GNOME/libsoup/-/issues/500 (circl)
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/513 (circl)

Timeline

Feb 23, 2026 CVE Published
Apr 24, 2026 Security Advisory
May 18, 2026 EPSS Score
May 19, 2026 EPSS Score
May 20, 2026 EPSS Score
May 21, 2026 EPSS Score
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score
May 25, 2026 EPSS Score
May 26, 2026 EPSS Score
May 27, 2026 EPSS Score

References

Open in Interactive Console →