CVE-2026-50052EPSS p23.2%

CVE-2026-50052CVE-2026-50052

Description

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

Scoring

EPSS0.32% probability of exploitation · percentile 23.2% · 2026-06-18T12:00:27Z
Last modified2026-06-04

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34475
CVE
CVE-2026-28368
CVE
CVE-2026-49160
CVE
CVE-2026-28369
CVE
CVE-2026-28367
CVE
CVE-2026-23941
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.