CVE-2025-12543
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fa
CVSS
9.6
Critical
EPSS
1.2%
p64
KEV
—
Exploit Today
19
0-100
Published: Jan 7, 2026 · Last modified: Jul 15, 2026 · CWE-20
1.2%EPSS · 30 days1.2%
2026-06-302026-07-16
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:0383
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:0384
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:0386
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33371
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33372
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3889
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3890
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3891
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3892
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:4915
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:4916
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:4917
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:4924
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2025-12543
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2408784
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:0383
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:0384
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:0386
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33371
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33372
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-341978.8 HIG99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability2dCVE-2026-125699.8 CRI66.0%
KEV—70PTC Windchill and FlexPLM Improper Input Validation Vulnerability17dCVE-2025-607877.2 HIG97.0%
——29MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.12dCVE-2017-149197.5 HIG94.3%
——28Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.3dCVE-2026-482849.6 CRI94.1%
——28ColdFusion is affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.2dCVE-2022-457258.8 HIG93.4%
——28Improper Input Validation in Comfast router CF-WR6110N V2.3.1 allows a remote attacker on the same network to execute arbitrary code on the target via an HTTP POST request8d