CVE-2026-28435

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions cpp-httplib versions prior to 0.35.0

Description cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Before version 0.35.0, the library does not enforce the payload size limit configured via Server::set payload max length() on decompressed request bodies when using HandlerWithContentReader with Content-Encoding: gzip or other supported encodings. A small compressed payload can expand beyond the configured limit, potentially leading to a denial of service through CPU or memory exhaustion.

Recommendations Update to version 0.35.0 or later.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-409CWE-400

Related Identifiers

CVE-2026-28435

GHSA-XVFX-W463-6FPP

OESA-2026-1552

OESA-2026-1553

OESA-2026-1554

OESA-2026-1555

OPENSUSE-SU-2026:10435-1

OPENSUSE-SU-2026:20733-1

SUSE-SU-2026:21599-1

Affected Products

Cpp-Httplib

CVE-2026-28435

Weakness Enumeration

Related Identifiers

Affected Products

References · 32