{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28434", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:54:05.138Z", "datePublished": "2026-03-04T19:34:30.486Z", "dateUpdated": "2026-03-04T20:55:40.320Z"}, "containers": {"cna": {"title": "cpp-httplib's default exception handler leaks e.what() to clients via EXCEPTION_WHAT response header", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8mpw-r4gc-xm7q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8mpw-r4gc-xm7q"}, {"name": "https://github.com/yhirose/cpp-httplib/commit/defd907c7469c5c8281247b73bbd07be24c31164", "tags": ["x_refsource_MISC"], "url": "https://github.com/yhirose/cpp-httplib/commit/defd907c7469c5c8281247b73bbd07be24c31164"}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"version": "< 0.35.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T19:34:30.486Z"}, "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0."}], "source": {"advisory": "GHSA-8mpw-r4gc-xm7q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T20:45:05.207964Z", "id": "CVE-2026-28434", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T20:55:40.320Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28434", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T20:45:05.207964Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T20:55:35.685Z"}}], "cna": {"title": "cpp-httplib's default exception handler leaks e.what() to clients via EXCEPTION_WHAT response header", "source": {"advisory": "GHSA-8mpw-r4gc-xm7q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"status": "affected", "version": "< 0.35.0"}]}], "references": [{"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8mpw-r4gc-xm7q", "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8mpw-r4gc-xm7q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/yhirose/cpp-httplib/commit/defd907c7469c5c8281247b73bbd07be24c31164", "name": "https://github.com/yhirose/cpp-httplib/commit/defd907c7469c5c8281247b73bbd07be24c31164", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T19:34:30.486Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28434", "state": "PUBLISHED", "dateUpdated": "2026-03-04T20:55:40.320Z", "dateReserved": "2026-02-27T15:54:05.138Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-04T19:34:30.486Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*", "matchCriteriaId": "27E6A328-789B-48B3-B888-23C091A0766D", "versionEndExcluding": "0.35.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0."}], "id": "CVE-2026-28434", "lastModified": "2026-03-05T22:11:16.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-04T20:16:19.823", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/yhirose/cpp-httplib/commit/defd907c7469c5c8281247b73bbd07be24c31164"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8mpw-r4gc-xm7q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.35.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cpp-httplib", "source": "cna", "vendor": "yhirose"}, "product": "cpp-httplib", "vendor": "yhirose"}], "analysis": {"en": {"generated_at": "2026-04-16T13:08:18.374774+00:00", "value": {"mitigation_remediation": ["Upgrade cpp\u2011httplib to version 0.35.0 or newer.", "If an upgrade is not immediately possible, register a custom exception handler with set_exception_handler() that suppresses or sanitizes exception messages before responding.", "Ensure that any EXCEPTION_WHAT header is removed or filtered from outgoing responses, either by configuring the HTTP library or by adding middleware to strip sensitive headers."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of yhirose:cpp\u2011httplib prior to version 0.35.0. Any application that includes the library without registering a custom exception handler is potentially exposed.", "description_and_impact": "cpp\u2011httplib\u2019s default exception handling writes the exception message directly into an HTTP response header named EXCEPTION_WHAT. This exposes internal error details to any client that makes a request, potentially revealing sensitive information about the application or environment. The weakness corresponds to CWE\u2011200, an information\u2011disclosure vulnerability.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity. The EPSS score of less than 1% suggests a low likelihood of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the leak by sending any HTTP request to the server; no authentication or special configuration is required."}}}}, "created": "2026-03-05T09:05:47.922296+00:00", "updated": "2026-04-16T13:15:06.225472+00:00", "vendors": ["yhirose", "yhirose$PRODUCT$cpp-httplib"]}