CVE-2025-12543CRITICAL 9.6EPSS p63.6%

CVE-2025-12543CVE-2025-12543

Description

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS1.18% probability of exploitation · percentile 63.6% · 2026-06-18T12:00:27Z
Published2026-01-07
Last modified2026-03-18

Underlying weaknesses· 1

CWE-20

References

  1. https://access.redhat.com/errata/RHSA-2026:0383
  2. https://access.redhat.com/errata/RHSA-2026:0384
  3. https://access.redhat.com/errata/RHSA-2026:0386
  4. https://access.redhat.com/errata/RHSA-2026:3889
  5. https://access.redhat.com/errata/RHSA-2026:3890
  6. https://access.redhat.com/errata/RHSA-2026:3891
  7. https://access.redhat.com/errata/RHSA-2026:3892
  8. https://access.redhat.com/errata/RHSA-2026:4915

1

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28368
CVE
CVE-2026-28369
CVE
CVE-2026-28367
CVE
CVE-2025-1247
CVE
CVE-2026-41854
CVE
CVE-2026-42579
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.