CVE-2026-40561

CVE-2026-40561: Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence

Vendor Kazuho
Product Starlet
Weakness CWE-444
Published May 3, 2026
Last update May 7, 2026

CVSS base score

What the vulnerability does

01Description

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

Key dates

02Disclosure timeline

May 3, 2026 CVE published
May 7, 2026 Record updated

Related vulnerabilities

04Related CVE