lighttpd · threatengine.sh

CVE-2025-12642

all versions

lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to condu

9.1CRITICAL

CVE-2022-41556

>= 1.4.56 and < 1.4.67

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) a

7.5HIGH

CVE-2022-37797

all versions

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) i

7.5HIGH

CVE-2022-30780

all versions

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) beca

7.5HIGH

CVE-2022-22707

>= 1.4.46 and <= 1.4.63

In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer ove

5.9MEDIUM

CVE-2019-11072

<= 1.4.53

lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application

9.8CRITICAL

CVE-2018-19052

< 1.4.50

An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traver

7.5HIGH

CVE-2015-3200

<= 1.4.35

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string

7.5HIGH

CVE-2014-2324

< 1.4.35

Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote att

CVE-2014-2323

< 1.4.35

SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL comman

9.8CRITICAL

CVE-2013-4560

< 1.4.33

Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault an

CVE-2013-4559

< 1.4.33

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might caus

CVE-2013-4508

>= 1.4.24 and <= 1.4.33

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack ses

7.5HIGH

CVE-2013-1427

<= 1.4.27

The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a pre

CVE-2012-5533

all versions

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service

CVE-2011-4362

>= 1.4.1 and < 1.4.30

Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 befo

CVE-2010-0295

<= 1.4.25

lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attac

CVE-2008-4360

< 1.4.20

mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive com

CVE-2008-4359

< 1.4.20

lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before perform

CVE-2008-4298

<= 1.4.19

Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of

CVE-2008-1531

<= 1.4.19

The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attack

CVE-2008-1270

<= 1.4.18

mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attack

CVE-2008-1111

all versions

mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might all

CVE-2008-0983

all versions

lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which

CVE-2007-4727

<= 1.4.15

Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18

CVE-2007-3950

<= 1.4.15

lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified

CVE-2007-3949

<= 1.4.15

mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.acce

CVE-2007-3948

<= 1.4.15

connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers t

CVE-2007-3947

<= 1.4.15

request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with d

CVE-2007-3946

<= 1.4.15

mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecifi

CVE-2007-1870

all versions

lighttpd before 1.4.14 allows attackers to cause a denial of service (crash) via a request to a file whose mtime is 0, which resul

CVE-2007-1869

all versions

lighttpd 1.4.12 and 1.4.13 allows remote attackers to cause a denial of service (cpu and resource consumption) by disconnecting wh

CVE-2006-0814

all versions

response.c in Lighttpd 1.4.10 and possibly previous versions, when run on Windows, allows remote attackers to read arbitrary sourc

CVE-2006-0760

all versions

LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks an

CVE-2005-0453

all versions

The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attac