CVE-2026-55202
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk26th percentile - higher than 26% of all known CVEs
Summary
Tinyproxy through version 1.11.3 fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.
Risk Assessment
The organization is at risk of leaking sensitive network traffic information and bypassing access control mechanisms, potentially leading to unauthorized access to internal resources.
Recommendation
Immediately update Tinyproxy to a version containing commit 09312a1 or later, which fixes this vulnerability. If an update is not possible, restrict access to the stats page using firewall rules.
Original NVD description (English source)
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

