Tinyproxy through 1.11.3, fixed in commit 09312a1, fails...
High severity
Unreviewed
Published
Jun 17, 2026
to the GitHub Advisory Database
•
Updated Jun 17, 2026
Description
Published by the National Vulnerability Database
Jun 17, 2026
Published to the GitHub Advisory Database
Jun 17, 2026
Last updated
Jun 17, 2026
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.
References