Vulnerability Database

322,905

Total vulnerabilities in the database

CVE-2026-23527

H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.

Published: Jan 15, 2026
Updated: Jan 24, 2026
CVE: CVE-2026-23527
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.9
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
h3 / h3	-	1.15.5

https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097
https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo