CVE-2026-26234 | THREATINT

Description

JUNG Smart Visu Server 1.1.1050 contains a request header manipulation vulnerability that allows unauthenticated attackers to override request URLs by injecting arbitrary values in the X-Forwarded-Host header. Attackers can manipulate proxied requests to generate tainted responses, enabling cache poisoning, potential phishing, and redirecting users to malicious domains.

PUBLISHED Reserved 2026-02-12 | Published 2026-02-12 | Updated 2026-02-12 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of HTTP Headers for Scripting Syntax

Product status

1.1.1050

affected

1.0.905

affected

1.0.832

affected

1.0.830

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5970.php (Zero Science Lab Vulnerability Advisory) third-party-advisory

www.vulncheck.com/...on-of-http-headers-for-scripting-syntax (VulnCheck Advisory: JUNG Smart Visu Server - Improper Neutralization of HTTP Headers for Scripting Syntax) third-party-advisory

cve.org (CVE-2026-26234)

nvd.nist.gov (CVE-2026-26234)

Download JSON