Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-2332
Analyzed
More InfoOfficial Page
Source-emo@eclipse.org
View Known Exploited Vulnerability (KEV) details
Published At-14 Apr, 2026 | 12:16
Updated At-01 May, 2026 | 13:31

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.4HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: Primary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CPE Matches
Eclipse Foundation AISBL
eclipse
>>jetty>>Versions from 9.4.0(inclusive) to 9.4.60(exclusive)
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Eclipse Foundation AISBL
eclipse
>>jetty>>Versions from 10.0.0(inclusive) to 10.0.28(exclusive)
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Eclipse Foundation AISBL
eclipse
>>jetty>>Versions from 11.0.0(inclusive) to 11.0.28(exclusive)
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Eclipse Foundation AISBL
eclipse
>>jetty>>Versions from 12.0.0(inclusive) to 12.0.33(exclusive)
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Eclipse Foundation AISBL
eclipse
>>jetty>>Versions from 12.1.0(inclusive) to 12.1.7(exclusive)
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-444Primaryemo@eclipse.org
CWE ID: CWE-444
Type: Primary
Source: emo@eclipse.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwfemo@eclipse.org
Exploit
Vendor Advisory
Mitigation
https://gitlab.eclipse.org/security/cve-assignment/-/issues/89emo@eclipse.org
Issue Tracking
Vendor Advisory
Hyperlink: https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf
Source: emo@eclipse.org
Resource:
Exploit
Vendor Advisory
Mitigation
Hyperlink: https://gitlab.eclipse.org/security/cve-assignment/-/issues/89
Source: emo@eclipse.org
Resource:
Issue Tracking
Vendor Advisory
Change History
0Changes found
Details not found