CVE-2026-28434 MEDIUM

CVE-2026-28434: cpp-httplib's default exception handler leaks e.what() to clients via EXCEPTION_WHAT response header

Vendor Yhirose
Product cpp-httplib
Weakness CWE-200 · Info exposure
Published March 4, 2026
Last update March 4, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0.

Key dates

02Disclosure timeline

March 4, 2026 CVE published
March 4, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-11295 Simple Page Access Restriction <= 1.0.29 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure CVE-2022-46257 Information disclosure in GitHub Enterprise Server leading to unauthorized viewing of private repository names CVE-2025-54380 Opencast still publishes global system account credentials CVE-2021-21440 Support Bundle includes S/Mime and PGP keys CVE-2024-43289 WordPress wpForo Forum plugin <= 2.3.4 - Unauthenticated Sensitive Data Exposure vulnerability