{"schema_version":"1.7.2","id":"OESA-2026-1867","modified":"2026-04-11T14:04:49Z","published":"2026-04-11T14:04:49Z","upstream":["CVE-2026-33745","CVE-2026-34441"],"summary":"cpp-httplib security update","details":"A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include httplib.h file in your code!\r\n\r\nSecurity Fix(es):\n\ncpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the `Authorization` header. Version 0.39.0 fixes the issue.(CVE-2026-33745)\n\ncpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.(CVE-2026-34441)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"cpp-httplib","purl":"pkg:rpm/openEuler/cpp-httplib&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.40.0-1.oe2403"}]}],"ecosystem_specific":{"aarch64":["cpp-httplib-0.40.0-1.oe2403.aarch64.rpm","cpp-httplib-debuginfo-0.40.0-1.oe2403.aarch64.rpm","cpp-httplib-debugsource-0.40.0-1.oe2403.aarch64.rpm","cpp-httplib-devel-0.40.0-1.oe2403.aarch64.rpm"],"src":["cpp-httplib-0.40.0-1.oe2403.src.rpm"],"x86_64":["cpp-httplib-0.40.0-1.oe2403.x86_64.rpm","cpp-httplib-debuginfo-0.40.0-1.oe2403.x86_64.rpm","cpp-httplib-debugsource-0.40.0-1.oe2403.x86_64.rpm","cpp-httplib-devel-0.40.0-1.oe2403.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1867"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33745"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34441"}],"database_specific":{"severity":"High"}}