CVE Catalog

CVE-2026-38969

Low risk· EPSS 6%
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

A vulnerability in the Ruby WEBrick library (up to version 1.9.2) re-parses the trailer Content-Length header into the canonical request state, enabling request smuggling attacks.

Risk Assessment

An attacker can exploit this flaw to smuggle malicious HTTP requests, potentially bypassing security controls, hijacking sessions, or attacking other applications behind a proxy.

Recommendation

Immediately update the WEBrick library to version 1.9.3 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS