CVE-2026-22903

Name of the Vulnerable Software and Affected Versions lighttpd (affected versions not specified)

Description An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the lighttpd server, potentially causing it to crash and enabling remote code execution due to missing stack protections. The vulnerability is present in a modified version of the lighttpd server. The SESSIONID cookie is a vulnerable parameter.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.