CVE-2026-4700
Mitigation bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Th
CVSS
9.8
Critical
EPSS
0.5%
p37
KEV
—
Exploit Today
11
0-100
Published: Mar 24, 2026 · Last modified: Jul 15, 2026 · CWE-288 · CWE-444
0.5%EPSS · 30 days0.5%
2026-06-302026-07-17
Mitigation bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- bugzilla.mozilla.orghttps://bugzilla.mozilla.org/show_bug.cgi?id=2003766
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-20/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-22/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-23/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-24/
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5930
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5931
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5932
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6188
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6342
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6917
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7837
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7838
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7839
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7840
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7841
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7842
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7843
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7845
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7858
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2024-555919.8 CRI99.9%
KEV—80Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability10dCVE-2025-244728.1 HIG86.2%
KEV—76Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability10dCVE-2021-414367.5 HIG90.6%
——27An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote unauthenticated attacker to DoS via sending a specially crafted HTTP packet.10dCVE-2021-414427.5 HIG88.0%
——26An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.10dCVE-2021-414517.5 HIG82.0%
——25A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP-Link AX10v1 before V1_211117 allows a remote unauthenticated attacker to send a specially crafted HTTP request and receive a misconfigured HTTP/0.9 response, potentially leading into a cache poisoning attack.10dCVE-2026-401754.8 MED76.2%
——23Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.4d