CVE-2026-40561
Legitimate vuln but zero active signal; pure automated disclosure chatter today.
What: HTTP Request Smuggling in Starlet (Perl web server) through v0.31 via improper header precedence—Content-Length prioritized over Transfer-Encoding in violation of RFC 7230, enabling request smuggling via reverse proxies.
Why it matters: Published today with no CVSS/EPSS scores, no KEV listing, and no public PoC or vendor advisory detected. Social signal is purely automated feed republication from NVD/CVE databases. No defender triage or patch activity reported.
Where it's seen: Five low-engagement posts, all feed-driven mirrors (CVEnew, Vulmon, Bluesky aggregators). No researcher analysis, no vendor statement, no exploitation chatter.
RISK: MODERATE — HTTP smuggling is a class attack; exposure depends on Starlet adoption and proxy configurations.
AttackerKB
view on attackerkb.com →Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Articles & coverage 14 articles
- Ruby on Rails - Dynamic Render File Upload / Remote ... - Exploit-DB
Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit). EDB-ID: 40561. CVE: 2016-0752
- MS09-042: Vulnerability in Telnet Could Allow Remote Code Exec...
Arbitrary code can be executed on the remote host through the remote Telnet client. (Nessus Plugin ID 40561)
- AtRisk April 30, 2026 Vol. XXVI – Num. 17
NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372. NVD References: https://www.crowdstrike.com/en-us/security-advisories/cve-2026-40050/. CVE-2026-34285, CVE-2026-34286, CVE-2026-34287 - The Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core) version 12.2.1.4.0 has critical vulnerabilities that allows an unauthenticated attacke
- Exploitation of CVE-2026-24061 - By SafeBreach Labs - GitHub
This script exploits the CVE-2026-24061 vulnerability in Telnet servers using a malformed USER environment variable. Usage. Run the script with a target host
- CVE-2026-30561 Detail - NVD
Description. A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0.
› NVD details 1 CWE ·0 vendors · 2 refs expand
Description
Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Weaknesses
Top posts driving the trend
@CVEarityX · 5/3/2026⚡ New CVE Alert: CVE-2026-40561 🚨 Risk Level: Unknown 🧩 Affects: Multiple / Unspecified Products Reference: https://t.co/DkDT8pYotk #CVE-2026-40561 #CVE #CyberSecurity #InfoSec https://t.co/5HwOErgIMM
♥ 0 · ↻ 0 · 💬 0
@infoflowcloudX · 5/3/2026🚨*CVE* CVE-2026-40561 Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-… https://t.co/AWqZtaQsCB ----- Traducción: CVE-2026-40561 Sta… https://t.co/utmtNgl3sv`
♥ 0 · ↻ 0 · 💬 0
@CVEnewX · 5/3/2026CVE-2026-40561 Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-… https://t.co/Oq2vrbxTcY
♥ 0 · ↻ 0 · 💬 0- @cve.skyfleet.blueBluesky · 5/3/2026
CVE-2026-40561 - Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence CVE ID : CVE-2026-40561 Published : May 3, 2026, 1:15 a.m. | 1 hour, 3 minutes ago Description : Starlet versions through 0.31 for Perl allows HTTP Reques...
♥ 0 · ↻ 0 · 💬 0 
@VulmonFeedsX · 5/3/2026CVE-2026-40561 HTTP Request Smuggling in Starlet Perl Through 0.31 via Header Precedence https://t.co/a2hdIe64So
♥ 0 · ↻ 0 · 💬 0- @infosec.skyfleet.blueBluesky · 5/3/2026
CVE-2026-40561: Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence
♥ 0 · ↻ 0 · 💬 0
