{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4742", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-03-24T03:23:33.566Z", "datePublished": "2026-03-24T03:24:06.460Z", "dateUpdated": "2026-03-24T14:33:37.688Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:24:06.460Z"}, "title": "HTTP Request Smuggling in visualfc/liteide", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "affected": [{"vendor": "visualfc", "product": "liteide", "collectionURL": "https://github.com/visualfc/liteide", "modules": ["liteidex/src/3rdparty/qjsonrpc/src/http-parser"], "programFiles": ["http_parser.c"], "versions": [{"status": "affected", "version": "0", "lessThan": "x38.4", "versionType": "git"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in visualfc liteide (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules). This vulnerability is associated with program files http_parser.C.\n\nThis issue affects liteide: before x38.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in visualfc liteide (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules).<p> This vulnerability is associated with program files http_parser.C.</p><p>This issue affects liteide: before x38.4.</p>"}]}], "references": [{"url": "https://github.com/visualfc/liteide/pull/1325", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NEGLIGIBLE", "Automatable": "NO", "Recovery": "USER", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "GREEN", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.9, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:P/S:N/AU:N/R:U/V:D/RE:L/U:Green"}}], "credits": [{"lang": "en", "value": "TITAN Team (titancaproject@gmail.com)", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:33:30.809217Z", "id": "CVE-2026-4742", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:33:37.688Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4742", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T14:33:30.809217Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:33:34.761Z"}}], "cna": {"title": "HTTP Request Smuggling in visualfc/liteide", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 2.9, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:P/S:N/AU:N/R:U/V:D/RE:L/U:Green", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "GREEN", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "visualfc", "modules": ["liteidex/src/3rdparty/qjsonrpc/src/http-parser"], "product": "liteide", "versions": [{"status": "affected", "version": "0", "lessThan": "x38.4", "versionType": "git"}], "programFiles": ["http_parser.c"], "collectionURL": "https://github.com/visualfc/liteide", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/visualfc/liteide/pull/1325", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in visualfc liteide (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules). This vulnerability is associated with program files http_parser.C.\n\nThis issue affects liteide: before x38.4.", "supportingMedia": [{"type": "text/html", "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in visualfc liteide (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules).<p> This vulnerability is associated with program files http_parser.C.</p><p>This issue affects liteide: before x38.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:24:06.460Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4742", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:33:37.688Z", "dateReserved": "2026-03-24T03:23:33.566Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-03-24T03:24:06.460Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in visualfc liteide (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules). This vulnerability is associated with program files http_parser.C.\n\nThis issue affects liteide: before x38.4."}, {"lang": "es", "value": "Vulnerabilidad de Interpretaci\u00f3n Inconsistente de Solicitudes HTTP ('Contrabando de Solicitudes/Respuestas HTTP') en visualfc liteide (m\u00f3dulos liteidex/src/3rdparty/qjsonrpc/src/http-parser). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa http_parser.C.\n\nEste problema afecta a liteide: versiones anteriores a x38.4."}], "id": "CVE-2026-4742", "lastModified": "2026-05-05T20:38:41.080", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-03-24T04:17:30.380", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/visualfc/liteide/pull/1325"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,x38.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "liteide", "source": "cna", "vendor": "visualfc"}, "product": "liteide", "vendor": "visualfc"}], "analysis": {"en": {"generated_at": "2026-03-24T04:20:44.145395+00:00", "value": {"mitigation_remediation": ["Verify whether the running instance of liteide is older than x38.4.", "If an upgrade path is available, apply the latest stable release (x38.4 or later) that contains the fixed http_parser module.", "If upgrading is not immediately possible, mitigate the issue by restricting direct HTTP access to the liteide instance, for example by placing a reverse proxy or firewall that normalizes HTTP requests before they reach the application.", "Monitor application logs for anomalous request patterns that could indicate smuggling attempts.", "Check the vendor\u2019s repository or issue tracker for additional patches or advisories, and stay updated on any future security releases."], "summary": {"action": "Assess Impact", "impact": "HTTP Request Smuggling"}, "threat_synthesis": {"affected_systems": "All installations of visualfc liteide prior to version x38.4 are affected. The flaw resides in the http_parser component of the liteide source tree and can be triggered when the application receives HTTP traffic from an external client.", "description_and_impact": "The vulnerability stems from inconsistent interpretation of HTTP requests in the liteide HTTP parser module, allowing an attacker to smuggle a second request into a single HTTP stream. This behavior can be exploited to bypass security checks, execute unintended commands, or redirect traffic, potentially compromising application data and integrity. The weakness falls under CWE\u2011444, which describes ways attackers can manipulate HTTP headers to alter request handling.", "risk_and_exploitability": "The CVSS score of 2.9 indicates low overall severity, and there is no EPSS score provided; the vulnerability is not currently listed in CISA\u2019s KEV catalog. The likely attack vector is inferred from the description to involve carefully constructed HTTP requests sent to the liteide server, which would require network-level access to the target. While the potential impact is moderate\u2014primarily affecting request integrity and potentially bypassing application controls\u2014the low score suggests that widespread exploitation is currently unlikely, though caution remains warranted."}}}}, "created": "2026-03-24T10:29:11.855017+00:00", "updated": "2026-03-25T20:40:17.202489+00:00", "vendors": ["visualfc", "visualfc$PRODUCT$liteide"]}