CVE-2026-40560

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-40560
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-40560.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-40560
Downstream
Related
Published
2026-04-28T23:46:37.780Z
Modified
2026-05-28T03:53:19.703321408Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence
Details

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

Database specific 
{
    "cwe_ids": [
        "CWE-444"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40560.json",
    "cna_assigner": "CPANSec"
}
References

Affected packages

Git / github.com/miyagawa/starman

Affected ranges

Type
GIT
Repo
https://github.com/miyagawa/starman
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
636cd8b04e0fb5caba3fb9d24a4dcfc9074c0d1c

Affected versions

0.*
0.1000
0.1001
0.1002
0.1003
0.1004
0.1005
0.1006
0.1007
0.2000
0.2001
0.2002
0.2003
0.2004
0.2005
0.2006
0.2007
0.2008
0.2008_1
0.2008_2
0.2009
0.2010
0.2011
0.2012
0.2013
0.2014
0.29_90
0.3000
0.3001
0.3002
0.3003
0.3004
0.3005
0.3006
0.3007
0.3008
0.3009
0.3010
0.3011
0.3012
0.3013
0.3014
0.4000
0.4001
0.4002
0.4003
0.4004
0.4005
0.4006
0.4007
0.4008
0.4009
0.4010
0.4011
0.4013
0.4014
0.4015
0.4016
0.4017

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-40560.json"