CVE-2026-28434

EUVD-2026-9495

04.03.2026, 20:16

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
yhirose	cpp-httplib	𝑥 < 0.35.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cpp-httplib

bookworm	vulnerable
forky	vulnerable
sid	0.41.0+ds-3 fixed
trixie	vulnerable

Known Exploits!

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8mpw-r4gc-xm7q

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/yhirose/cpp-httplib/commit/defd907c7469c5c8281247b73bbd07be24c31164

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8mpw-r4gc-xm7q