| 0 |
|
| 1 |
| url |
VCID-1qpe-g66r-r7d5 |
| vulnerability_id |
VCID-1qpe-g66r-r7d5 |
| summary |
An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-15810 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00155 |
| scoring_system |
epss |
| scoring_elements |
0.35927 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00155 |
| scoring_system |
epss |
| scoring_elements |
0.36022 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00155 |
| scoring_system |
epss |
| scoring_elements |
0.36031 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00155 |
| scoring_system |
epss |
| scoring_elements |
0.35991 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-15810 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-15810
|
| risk_score |
4.3 |
| exploitability |
0.5 |
| weighted_severity |
8.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1qpe-g66r-r7d5 |
|
| 2 |
| url |
VCID-1r8b-ykhg-9bar |
| vulnerability_id |
VCID-1r8b-ykhg-9bar |
| summary |
Format string vulnerability in the logging() function in C-Note Squid LDAP authentication module (squid_auth_LDAP) 2.0.2 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code by triggering log messages. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2002-0735 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0175 |
| scoring_system |
epss |
| scoring_elements |
0.82901 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.0175 |
| scoring_system |
epss |
| scoring_elements |
0.82928 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.0175 |
| scoring_system |
epss |
| scoring_elements |
0.82927 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.0175 |
| scoring_system |
epss |
| scoring_elements |
0.82924 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2002-0735 |
|
|
| fixed_packages |
|
| aliases |
CVE-2002-0735
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1r8b-ykhg-9bar |
|
| 3 |
| url |
VCID-1xuh-awaq-rybw |
| vulnerability_id |
VCID-1xuh-awaq-rybw |
| summary |
squid_ldap_auth in Squid 2.5 and earlier allows remote authenticated users to bypass username-based Access Control Lists (ACLs) via a username with a space at the beginning or end, which is ignored by the LDAP server. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0173 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01691 |
| scoring_system |
epss |
| scoring_elements |
0.82578 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.01691 |
| scoring_system |
epss |
| scoring_elements |
0.82605 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.01691 |
| scoring_system |
epss |
| scoring_elements |
0.82604 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01691 |
| scoring_system |
epss |
| scoring_elements |
0.82602 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0173 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2005-0173
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1xuh-awaq-rybw |
|
| 4 |
| url |
VCID-21hf-pjhc-gkek |
| vulnerability_id |
VCID-21hf-pjhc-gkek |
| summary |
The "cache update reply processing" functionality in Squid 2.x before 2.6.STABLE17 and Squid 3.0 allows remote attackers to cause a denial of service (crash) via unknown vectors related to HTTP headers and an Array memory leak during requests for cached objects. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2007-6239 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.08998 |
| scoring_system |
epss |
| scoring_elements |
0.92766 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.08998 |
| scoring_system |
epss |
| scoring_elements |
0.92779 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.08998 |
| scoring_system |
epss |
| scoring_elements |
0.92774 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.08998 |
| scoring_system |
epss |
| scoring_elements |
0.92769 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2007-6239 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2007-6239
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-21hf-pjhc-gkek |
|
| 5 |
| url |
VCID-2fq8-mupa-gfc9 |
| vulnerability_id |
VCID-2fq8-mupa-gfc9 |
| summary |
Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-4054
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2fq8-mupa-gfc9 |
|
| 6 |
| url |
VCID-2wzr-qudp-a7ff |
| vulnerability_id |
VCID-2wzr-qudp-a7ff |
| summary |
An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8517 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.74874 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.74903 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00927 |
| scoring_system |
epss |
| scoring_elements |
0.76479 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00927 |
| scoring_system |
epss |
| scoring_elements |
0.76468 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8517 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-8517
|
| risk_score |
3.6 |
| exploitability |
0.5 |
| weighted_severity |
7.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2wzr-qudp-a7ff |
|
| 7 |
|
| 8 |
| url |
VCID-2zct-5w44-gkag |
| vulnerability_id |
VCID-2zct-5w44-gkag |
| summary |
Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2016-4053 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.16544 |
| scoring_system |
epss |
| scoring_elements |
0.95028 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.16544 |
| scoring_system |
epss |
| scoring_elements |
0.95037 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.16544 |
| scoring_system |
epss |
| scoring_elements |
0.95038 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.16544 |
| scoring_system |
epss |
| scoring_elements |
0.9504 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2016-4053 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-4053
|
| risk_score |
1.2 |
| exploitability |
0.5 |
| weighted_severity |
2.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2zct-5w44-gkag |
|
| 9 |
| url |
VCID-39fn-vfvp-j3gp |
| vulnerability_id |
VCID-39fn-vfvp-j3gp |
| summary |
Buffer overflows in Squid before 2.4.STABLE6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code (1) via the MSNT auth helper (msnt_auth) when using denyusers or allowusers files, (2) via the gopher client, or (3) via the FTP server directory listing parser when HTML output is generated. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2002-0713
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-39fn-vfvp-j3gp |
|
| 10 |
| url |
VCID-3c8n-ttbh-5yhm |
| vulnerability_id |
VCID-3c8n-ttbh-5yhm |
| summary |
Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, which could lead to less restrictive ACLs than intended by the administrator. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2005-1345 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00192 |
| scoring_system |
epss |
| scoring_elements |
0.40973 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00192 |
| scoring_system |
epss |
| scoring_elements |
0.41049 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00192 |
| scoring_system |
epss |
| scoring_elements |
0.41054 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00192 |
| scoring_system |
epss |
| scoring_elements |
0.41022 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2005-1345 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2005-1345
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3c8n-ttbh-5yhm |
|
| 11 |
| url |
VCID-3nbz-gtse-vfcz |
| vulnerability_id |
VCID-3nbz-gtse-vfcz |
| summary |
Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2011-3205
|
| risk_score |
1.1 |
| exploitability |
0.5 |
| weighted_severity |
2.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3nbz-gtse-vfcz |
|
| 12 |
| url |
VCID-3nc4-d8r8-w7gr |
| vulnerability_id |
VCID-3nc4-d8r8-w7gr |
| summary |
Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or conduct certain attacks via headers that do not follow the HTTP specification, including (1) multiple Content-Length headers, (2) carriage return (CR) characters that are not part of a CRLF pair, and (3) header names containing whitespace characters. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2005-0174
|
| risk_score |
1.4 |
| exploitability |
2.0 |
| weighted_severity |
0.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3nc4-d8r8-w7gr |
|
| 13 |
| url |
VCID-3tg2-re6y-g7gm |
| vulnerability_id |
VCID-3tg2-re6y-g7gm |
| summary |
Vulnerability in Squid before 2.4.STABLE6 related to proxy authentication credentials may allow remote web sites to obtain the user's proxy login and password. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2002-0715 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00405 |
| scoring_system |
epss |
| scoring_elements |
0.613 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00405 |
| scoring_system |
epss |
| scoring_elements |
0.61348 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00405 |
| scoring_system |
epss |
| scoring_elements |
0.61356 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00405 |
| scoring_system |
epss |
| scoring_elements |
0.61342 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2002-0715 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2002-0715
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3tg2-re6y-g7gm |
|
| 14 |
| url |
VCID-3uxw-bjux-kkad |
| vulnerability_id |
VCID-3uxw-bjux-kkad |
| summary |
Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator ignores the parser warnings. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0194 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71409 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71453 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71459 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71436 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0194 |
|
| 1 |
|
| 2 |
|
|
| fixed_packages |
|
| aliases |
CVE-2005-0194
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3uxw-bjux-kkad |
|
| 15 |
| url |
VCID-4238-kt68-byew |
| vulnerability_id |
VCID-4238-kt68-byew |
| summary |
Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execute arbitrary code via crafted Edge Side Includes (ESI) responses. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2016-4052 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.23622 |
| scoring_system |
epss |
| scoring_elements |
0.96087 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.23622 |
| scoring_system |
epss |
| scoring_elements |
0.96092 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.23622 |
| scoring_system |
epss |
| scoring_elements |
0.96095 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.23622 |
| scoring_system |
epss |
| scoring_elements |
0.96096 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2016-4052 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-4052
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4238-kt68-byew |
|
| 16 |
|
| 17 |
| url |
VCID-482d-pvjx-aya1 |
| vulnerability_id |
VCID-482d-pvjx-aya1 |
| summary |
This vulnerability allows remote attackers to deny service on vulnerable installations of The Squid Software Foundation Squid 3.5.27-20180318. Authentication is not required to exploit this vulnerability. The specific flaw exists within ClientRequestContext::sslBumpAccessCheck(). A crafted request can trigger the dereference of a null pointer. An attacker can leverage this vulnerability to create a denial-of-service condition to users of the system. Was ZDI-CAN-6088. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-1172 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.08729 |
| scoring_system |
epss |
| scoring_elements |
0.92643 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.08729 |
| scoring_system |
epss |
| scoring_elements |
0.92655 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.08729 |
| scoring_system |
epss |
| scoring_elements |
0.92651 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.08729 |
| scoring_system |
epss |
| scoring_elements |
0.92647 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-1172 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-1172
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-482d-pvjx-aya1 |
|
| 18 |
| url |
VCID-4yrg-ns3w-77af |
| vulnerability_id |
VCID-4yrg-ns3w-77af |
| summary |
An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-8450
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4yrg-ns3w-77af |
|
| 19 |
| url |
VCID-53jt-gwr4-8kgt |
| vulnerability_id |
VCID-53jt-gwr4-8kgt |
| summary |
Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long WCCP packet, which is processed by a recvfrom function call that uses an incorrect length parameter. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2005-0211
|
| risk_score |
0.2 |
| exploitability |
0.5 |
| weighted_severity |
0.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-53jt-gwr4-8kgt |
|
| 20 |
| url |
VCID-542u-f6fr-8uee |
| vulnerability_id |
VCID-542u-f6fr-8uee |
| summary |
CRLF injection vulnerability in Squid before 3.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2015-0881
|
| risk_score |
1.1 |
| exploitability |
0.5 |
| weighted_severity |
2.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-542u-f6fr-8uee |
|
| 21 |
| url |
VCID-5acx-thb8-vfdn |
| vulnerability_id |
VCID-5acx-thb8-vfdn |
| summary |
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2009-2855
|
| risk_score |
0.2 |
| exploitability |
0.5 |
| weighted_severity |
0.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5acx-thb8-vfdn |
|
| 22 |
| url |
VCID-5f1a-x42j-eqhg |
| vulnerability_id |
VCID-5f1a-x42j-eqhg |
| summary |
Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2015-5400
|
| risk_score |
0.9 |
| exploitability |
0.5 |
| weighted_severity |
1.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5f1a-x42j-eqhg |
|
| 23 |
|
| 24 |
| url |
VCID-6cdq-k5s3-byaz |
| vulnerability_id |
VCID-6cdq-k5s3-byaz |
| summary |
The aclMatchExternal function in Squid before 2.6.STABLE7 allows remote attackers to cause a denial of service (crash) by causing an external_acl queue overload, which triggers an infinite loop. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2007-0248
|
| risk_score |
0.2 |
| exploitability |
0.5 |
| weighted_severity |
0.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6cdq-k5s3-byaz |
|
| 25 |
| url |
VCID-6hvn-6cuu-duc1 |
| vulnerability_id |
VCID-6hvn-6cuu-duc1 |
| summary |
An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14058 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00545 |
| scoring_system |
epss |
| scoring_elements |
0.68129 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00545 |
| scoring_system |
epss |
| scoring_elements |
0.68169 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00545 |
| scoring_system |
epss |
| scoring_elements |
0.68177 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00602 |
| scoring_system |
epss |
| scoring_elements |
0.69912 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14058 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-14058
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
6.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6hvn-6cuu-duc1 |
|
| 26 |
| url |
VCID-6nqw-htvj-gyff |
| vulnerability_id |
VCID-6nqw-htvj-gyff |
| summary |
An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14059 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.03424 |
| scoring_system |
epss |
| scoring_elements |
0.87676 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.03424 |
| scoring_system |
epss |
| scoring_elements |
0.87697 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.03424 |
| scoring_system |
epss |
| scoring_elements |
0.87699 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.03424 |
| scoring_system |
epss |
| scoring_elements |
0.87698 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14059 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-14059
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6nqw-htvj-gyff |
|
| 27 |
| url |
VCID-6rbp-pb6j-pbe5 |
| vulnerability_id |
VCID-6rbp-pb6j-pbe5 |
| summary |
The sslConnectTimeout function in ssl.c for Squid 2.5.STABLE10 and earlier allows remote attackers to cause a denial of service (segmentation fault) via certain crafted requests. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2005-2796 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.15104 |
| scoring_system |
epss |
| scoring_elements |
0.94714 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.15104 |
| scoring_system |
epss |
| scoring_elements |
0.94723 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.15104 |
| scoring_system |
epss |
| scoring_elements |
0.94724 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.15104 |
| scoring_system |
epss |
| scoring_elements |
0.94726 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2005-2796 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2005-2796
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6rbp-pb6j-pbe5 |
|
| 28 |
| url |
VCID-6tsh-kmnv-nudz |
| vulnerability_id |
VCID-6tsh-kmnv-nudz |
| summary |
An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-15811 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.39992 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40074 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40076 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40048 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-15811 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-15811
|
| risk_score |
4.3 |
| exploitability |
0.5 |
| weighted_severity |
8.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6tsh-kmnv-nudz |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
| url |
VCID-7t4c-w47k-qyc9 |
| vulnerability_id |
VCID-7t4c-w47k-qyc9 |
| summary |
Squid 2.7 to 2.7.STABLE5, 3.0 to 3.0.STABLE12, and 3.1 to 3.1.0.4 allows remote attackers to cause a denial of service via an HTTP request with an invalid version number, which triggers a reachable assertion in (1) HttpMsg.c and (2) HttpStatusLine.c. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2009-0478 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.77052 |
| scoring_system |
epss |
| scoring_elements |
0.98984 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.77052 |
| scoring_system |
epss |
| scoring_elements |
0.98985 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.77052 |
| scoring_system |
epss |
| scoring_elements |
0.98988 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.77052 |
| scoring_system |
epss |
| scoring_elements |
0.98986 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2009-0478 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-0478
|
| risk_score |
1.4 |
| exploitability |
2.0 |
| weighted_severity |
0.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7t4c-w47k-qyc9 |
|
| 33 |
|
| 34 |
|
| 35 |
| url |
VCID-84wx-quwx-p3gr |
| vulnerability_id |
VCID-84wx-quwx-p3gr |
| summary |
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-25097 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00583 |
| scoring_system |
epss |
| scoring_elements |
0.69366 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00583 |
| scoring_system |
epss |
| scoring_elements |
0.69405 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00583 |
| scoring_system |
epss |
| scoring_elements |
0.69414 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00583 |
| scoring_system |
epss |
| scoring_elements |
0.69404 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-25097 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-25097
|
| risk_score |
3.9 |
| exploitability |
0.5 |
| weighted_severity |
7.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-84wx-quwx-p3gr |
|
| 36 |
|
| 37 |
| url |
VCID-8rur-rbfr-gubm |
| vulnerability_id |
VCID-8rur-rbfr-gubm |
| summary |
cachemgr.cgi in Squid 3.1.x and 3.2.x, possibly 3.1.22, 3.2.4, and other versions, allows remote attackers to cause a denial of service (resource consumption) via a crafted request. NOTE: this issue is due to an incorrect fix for CVE-2012-5643, possibly involving an incorrect order of arguments or incorrect comparison. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-0189
|
| risk_score |
0.3 |
| exploitability |
0.5 |
| weighted_severity |
0.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8rur-rbfr-gubm |
|
| 38 |
| url |
VCID-966y-hxyz-h7ca |
| vulnerability_id |
VCID-966y-hxyz-h7ca |
| summary |
The httpProcessReplyHeader function in http.c for Squid 2.5-STABLE7 and earlier does not properly set the debug context when it is handling "oversized" HTTP reply headers, which might allow remote attackers to poison the cache or bypass access controls based on header size. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2005-0241
|
| risk_score |
1.6 |
| exploitability |
2.0 |
| weighted_severity |
0.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-966y-hxyz-h7ca |
|
| 39 |
| url |
VCID-a579-pajq-hffz |
| vulnerability_id |
VCID-a579-pajq-hffz |
| summary |
Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squid 2.x and 3.x, when an SNMP port is configured, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted UDP SNMP request, which triggers a heap-based buffer overflow. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2014-6270 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.18201 |
| scoring_system |
epss |
| scoring_elements |
0.95318 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.18201 |
| scoring_system |
epss |
| scoring_elements |
0.95326 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.18201 |
| scoring_system |
epss |
| scoring_elements |
0.95328 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.18201 |
| scoring_system |
epss |
| scoring_elements |
0.9533 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2014-6270 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2014-6270
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a579-pajq-hffz |
|
| 40 |
| url |
VCID-b44k-k14j-ube8 |
| vulnerability_id |
VCID-b44k-k14j-ube8 |
| summary |
Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not properly enforce "buffer limits and related bound checks," which allows remote attackers to cause a denial of service via (1) an incomplete request or (2) a request with a large header size, related to (a) HttpMsg.cc and (b) client_side.cc. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2009-2621 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.23562 |
| scoring_system |
epss |
| scoring_elements |
0.96081 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.23562 |
| scoring_system |
epss |
| scoring_elements |
0.96086 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.23562 |
| scoring_system |
epss |
| scoring_elements |
0.96089 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.23562 |
| scoring_system |
epss |
| scoring_elements |
0.9609 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2009-2621 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-2621
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b44k-k14j-ube8 |
|
| 41 |
|
| 42 |
| url |
VCID-b4y7-qehh-m3bh |
| vulnerability_id |
VCID-b4y7-qehh-m3bh |
| summary |
Memory leak in the NTLM fakeauth_auth helper for Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (memory consumption). |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0096 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02283 |
| scoring_system |
epss |
| scoring_elements |
0.84989 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.02283 |
| scoring_system |
epss |
| scoring_elements |
0.85012 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.02283 |
| scoring_system |
epss |
| scoring_elements |
0.85017 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.02283 |
| scoring_system |
epss |
| scoring_elements |
0.85011 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0096 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2005-0096
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b4y7-qehh-m3bh |
|
| 43 |
| url |
VCID-bxjr-uwbe-3udc |
| vulnerability_id |
VCID-bxjr-uwbe-3udc |
| summary |
Format string vulnerability in the allowuser code for the Stellar-X msntauth authentication module, as distributed in Squid 2.4.STABLE6 and earlier, allows remote attackers to execute arbitrary code via format strings in the user name, which are not properly handled in a syslog call. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2002-0916 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02682 |
| scoring_system |
epss |
| scoring_elements |
0.86124 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.02682 |
| scoring_system |
epss |
| scoring_elements |
0.86145 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.02682 |
| scoring_system |
epss |
| scoring_elements |
0.86148 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.02682 |
| scoring_system |
epss |
| scoring_elements |
0.86144 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2002-0916 |
|
| 1 |
|
|
| fixed_packages |
|
| aliases |
CVE-2002-0916
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bxjr-uwbe-3udc |
|
| 44 |
| url |
VCID-c1s2-z4na-afbf |
| vulnerability_id |
VCID-c1s2-z4na-afbf |
| summary |
client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-4553
|
| risk_score |
5.0 |
| exploitability |
2.0 |
| weighted_severity |
2.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c1s2-z4na-afbf |
|
| 45 |
| url |
VCID-c442-9agd-kqfb |
| vulnerability_id |
VCID-c442-9agd-kqfb |
| summary |
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-12524
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c442-9agd-kqfb |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
| url |
VCID-db6w-h95e-9bhf |
| vulnerability_id |
VCID-db6w-h95e-9bhf |
| summary |
Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. On systems with memory access protections, this can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-12854 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.38048 |
| scoring_system |
epss |
| scoring_elements |
0.97301 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.38048 |
| scoring_system |
epss |
| scoring_elements |
0.97305 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.38048 |
| scoring_system |
epss |
| scoring_elements |
0.97306 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.38048 |
| scoring_system |
epss |
| scoring_elements |
0.97307 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-12854 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-12854
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-db6w-h95e-9bhf |
|
| 50 |
| url |
VCID-ddm4-j52m-efcy |
| vulnerability_id |
VCID-ddm4-j52m-efcy |
| summary |
Squid, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2009-0801 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.10926 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11013 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11005 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.10971 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2009-0801 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-0801
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ddm4-j52m-efcy |
|
| 51 |
| url |
VCID-dydn-mqw1-g7at |
| vulnerability_id |
VCID-dydn-mqw1-g7at |
| summary |
An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-12528 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.23648 |
| scoring_system |
epss |
| scoring_elements |
0.9609 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.23648 |
| scoring_system |
epss |
| scoring_elements |
0.96095 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.23648 |
| scoring_system |
epss |
| scoring_elements |
0.96098 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.23648 |
| scoring_system |
epss |
| scoring_elements |
0.96099 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-12528 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-12528
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dydn-mqw1-g7at |
|
| 52 |
|
| 53 |
| url |
VCID-efj8-p65n-bffs |
| vulnerability_id |
VCID-efj8-p65n-bffs |
| summary |
The WCCP message parsing code in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via malformed WCCP messages with source addresses that are spoofed to reference Squid's home router and invalid WCCP_I_SEE_YOU cache numbers. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0095 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.75842 |
| scoring_system |
epss |
| scoring_elements |
0.98928 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.75842 |
| scoring_system |
epss |
| scoring_elements |
0.98929 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.75842 |
| scoring_system |
epss |
| scoring_elements |
0.98931 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.75842 |
| scoring_system |
epss |
| scoring_elements |
0.9893 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0095 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2005-0095
|
| risk_score |
0.3 |
| exploitability |
0.5 |
| weighted_severity |
0.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-efj8-p65n-bffs |
|
| 54 |
| url |
VCID-fh8e-t1f8-73b2 |
| vulnerability_id |
VCID-fh8e-t1f8-73b2 |
| summary |
The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-1999-0710 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.12632 |
| scoring_system |
epss |
| scoring_elements |
0.94098 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.12632 |
| scoring_system |
epss |
| scoring_elements |
0.94106 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.12632 |
| scoring_system |
epss |
| scoring_elements |
0.94105 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.12632 |
| scoring_system |
epss |
| scoring_elements |
0.94107 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-1999-0710 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-1999-0710
|
| risk_score |
0.2 |
| exploitability |
2.0 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fh8e-t1f8-73b2 |
|
| 55 |
|
| 56 |
| url |
VCID-g4mn-8ehd-6udp |
| vulnerability_id |
VCID-g4mn-8ehd-6udp |
| summary |
Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka "Nonce replay vulnerability." |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2014-9749 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01938 |
| scoring_system |
epss |
| scoring_elements |
0.83743 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.01938 |
| scoring_system |
epss |
| scoring_elements |
0.83766 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.01938 |
| scoring_system |
epss |
| scoring_elements |
0.83767 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01938 |
| scoring_system |
epss |
| scoring_elements |
0.83762 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2014-9749 |
|
| 2 |
|
|
| fixed_packages |
|
| aliases |
CVE-2014-9749
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g4mn-8ehd-6udp |
|
| 57 |
| url |
VCID-gr7g-hj5f-aufc |
| vulnerability_id |
VCID-gr7g-hj5f-aufc |
| summary |
An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-12520 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.06184 |
| scoring_system |
epss |
| scoring_elements |
0.91004 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.06184 |
| scoring_system |
epss |
| scoring_elements |
0.91018 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.06184 |
| scoring_system |
epss |
| scoring_elements |
0.91016 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.06184 |
| scoring_system |
epss |
| scoring_elements |
0.91013 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-12520 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-12520
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gr7g-hj5f-aufc |
|
| 58 |
| url |
VCID-gytn-z913-ubht |
| vulnerability_id |
VCID-gytn-z913-ubht |
| summary |
An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8449 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.03964 |
| scoring_system |
epss |
| scoring_elements |
0.88578 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.03964 |
| scoring_system |
epss |
| scoring_elements |
0.88596 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.03964 |
| scoring_system |
epss |
| scoring_elements |
0.88598 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.03964 |
| scoring_system |
epss |
| scoring_elements |
0.88597 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8449 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-8449
|
| risk_score |
2.1 |
| exploitability |
0.5 |
| weighted_severity |
4.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gytn-z913-ubht |
|
| 59 |
|
| 60 |
|
| 61 |
|
| 62 |
| url |
VCID-j4rt-cxwg-rugw |
| vulnerability_id |
VCID-j4rt-cxwg-rugw |
| summary |
An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-18677
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j4rt-cxwg-rugw |
|
| 63 |
|
| 64 |
| url |
VCID-jaew-wj9q-17fk |
| vulnerability_id |
VCID-jaew-wj9q-17fk |
| summary |
Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger utility in Squid before 3.5.16 and 4.x before 4.0.8 allows remote servers to cause a denial of service (performance degradation or transition failures) or write sensitive information to log files via an ICMPv6 packet. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-3947
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jaew-wj9q-17fk |
|
| 65 |
| url |
VCID-jn1n-gp5t-c7ft |
| vulnerability_id |
VCID-jn1n-gp5t-c7ft |
| summary |
Buffer overflow in the gopherToHTML function in the Gopher reply parser for Squid 2.5.STABLE7 and earlier allows remote malicious Gopher servers to cause a denial of service (crash) via crafted responses. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2005-0094
|
| risk_score |
0.2 |
| exploitability |
0.5 |
| weighted_severity |
0.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jn1n-gp5t-c7ft |
|
| 66 |
|
| 67 |
| url |
VCID-k1yk-e4zn-h3c2 |
| vulnerability_id |
VCID-k1yk-e4zn-h3c2 |
| summary |
Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-33620 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.09639 |
| scoring_system |
epss |
| scoring_elements |
0.93041 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.09639 |
| scoring_system |
epss |
| scoring_elements |
0.93051 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.09639 |
| scoring_system |
epss |
| scoring_elements |
0.93049 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.09639 |
| scoring_system |
epss |
| scoring_elements |
0.93045 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-33620 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-33620
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k1yk-e4zn-h3c2 |
|
| 68 |
|
| 69 |
| url |
VCID-kkry-29uk-jkfh |
| vulnerability_id |
VCID-kkry-29uk-jkfh |
| summary |
Squid Web Proxy Cache 2.3.STABLE5 allows remote attackers to bypass security controls and access arbitrary websites via "@@" sequences in a URL within Internet Explorer. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2004-2480 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01999 |
| scoring_system |
epss |
| scoring_elements |
0.83975 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.01999 |
| scoring_system |
epss |
| scoring_elements |
0.83997 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.01999 |
| scoring_system |
epss |
| scoring_elements |
0.84 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01999 |
| scoring_system |
epss |
| scoring_elements |
0.83996 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2004-2480 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
|
| aliases |
CVE-2004-2480
|
| risk_score |
null |
| exploitability |
2.0 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kkry-29uk-jkfh |
|
| 70 |
| url |
VCID-kks8-56y6-6kew |
| vulnerability_id |
VCID-kks8-56y6-6kew |
| summary |
The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-1000024
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kks8-56y6-6kew |
|
| 71 |
| url |
VCID-kqba-yqhn-hbav |
| vulnerability_id |
VCID-kqba-yqhn-hbav |
| summary |
mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-4554
|
| risk_score |
1.2 |
| exploitability |
0.5 |
| weighted_severity |
2.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kqba-yqhn-hbav |
|
| 72 |
| url |
VCID-krap-1qmx-t7ap |
| vulnerability_id |
VCID-krap-1qmx-t7ap |
| summary |
An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-15049
|
| risk_score |
3.9 |
| exploitability |
0.5 |
| weighted_severity |
7.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-krap-1qmx-t7ap |
|
| 73 |
|
| 74 |
| url |
VCID-mpfx-6sfu-43gz |
| vulnerability_id |
VCID-mpfx-6sfu-43gz |
| summary |
Squid 2.5.STABLE10 and earlier, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2005-2917
|
| risk_score |
0.2 |
| exploitability |
0.5 |
| weighted_severity |
0.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mpfx-6sfu-43gz |
|
| 75 |
| url |
VCID-n33d-b5uw-1yf2 |
| vulnerability_id |
VCID-n33d-b5uw-1yf2 |
| summary |
Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or execute arbitrary code by seeding manager reports with crafted data. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-4051
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n33d-b5uw-1yf2 |
|
| 76 |
| url |
VCID-nxn5-5c27-tkcr |
| vulnerability_id |
VCID-nxn5-5c27-tkcr |
| summary |
Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2014-0128 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.54968 |
| scoring_system |
epss |
| scoring_elements |
0.98092 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.54968 |
| scoring_system |
epss |
| scoring_elements |
0.98093 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.54968 |
| scoring_system |
epss |
| scoring_elements |
0.98095 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.54968 |
| scoring_system |
epss |
| scoring_elements |
0.98094 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2014-0128 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2014-0128
|
| risk_score |
0.2 |
| exploitability |
0.5 |
| weighted_severity |
0.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nxn5-5c27-tkcr |
|
| 77 |
|
| 78 |
| url |
VCID-pq9r-bdfx-vqb8 |
| vulnerability_id |
VCID-pq9r-bdfx-vqb8 |
| summary |
Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2012-5643 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.33163 |
| scoring_system |
epss |
| scoring_elements |
0.96996 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.33163 |
| scoring_system |
epss |
| scoring_elements |
0.97 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.33163 |
| scoring_system |
epss |
| scoring_elements |
0.97002 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.33163 |
| scoring_system |
epss |
| scoring_elements |
0.97004 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2012-5643 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-5643
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pq9r-bdfx-vqb8 |
|
| 79 |
| url |
VCID-pswa-8aa8-ukhw |
| vulnerability_id |
VCID-pswa-8aa8-ukhw |
| summary |
http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2016-2571 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.14329 |
| scoring_system |
epss |
| scoring_elements |
0.94533 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.14329 |
| scoring_system |
epss |
| scoring_elements |
0.94542 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.14329 |
| scoring_system |
epss |
| scoring_elements |
0.94543 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.14329 |
| scoring_system |
epss |
| scoring_elements |
0.94545 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2016-2571 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-2571
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pswa-8aa8-ukhw |
|
| 80 |
| url |
VCID-ptb8-53q8-gfad |
| vulnerability_id |
VCID-ptb8-53q8-gfad |
| summary |
The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-2570
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ptb8-53q8-gfad |
|
| 81 |
|
| 82 |
|
| 83 |
|
| 84 |
| url |
VCID-q6dn-87uh-sffd |
| vulnerability_id |
VCID-q6dn-87uh-sffd |
| summary |
Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (segmentation fault) by aborting the connection during a (1) PUT or (2) POST request, which causes Squid to access previously freed memory. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0718 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.12597 |
| scoring_system |
epss |
| scoring_elements |
0.94084 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.12597 |
| scoring_system |
epss |
| scoring_elements |
0.94092 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.12597 |
| scoring_system |
epss |
| scoring_elements |
0.94091 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.12597 |
| scoring_system |
epss |
| scoring_elements |
0.94093 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0718 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2005-0718
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q6dn-87uh-sffd |
|
| 85 |
| url |
VCID-qajc-u4gq-vfbf |
| vulnerability_id |
VCID-qajc-u4gq-vfbf |
| summary |
Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a crafted Edge Side Includes (ESI) response. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-4556
|
| risk_score |
1.5 |
| exploitability |
0.5 |
| weighted_severity |
3.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qajc-u4gq-vfbf |
|
| 86 |
| url |
VCID-qds8-ta3k-zydv |
| vulnerability_id |
VCID-qds8-ta3k-zydv |
| summary |
FTP proxy in Squid before 2.4.STABLE6 does not compare the IP addresses of control and data connections with the FTP server, which allows remote attackers to bypass firewall rules or spoof FTP server responses. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2002-0714 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38182 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38271 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38274 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38246 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2002-0714 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2002-0714
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qds8-ta3k-zydv |
|
| 87 |
| url |
VCID-qg6z-kgdf-a7et |
| vulnerability_id |
VCID-qg6z-kgdf-a7et |
| summary |
lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-0308
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qg6z-kgdf-a7et |
|
| 88 |
| url |
VCID-qg7m-8cuw-h7fx |
| vulnerability_id |
VCID-qg7m-8cuw-h7fx |
| summary |
Squid 2.5 STABLE9 and earlier, when the DNS client port is unfiltered and the environment does not prevent IP spoofing, allows remote attackers to spoof DNS lookups. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2005-1519 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.24581 |
| scoring_system |
epss |
| scoring_elements |
0.96227 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.24581 |
| scoring_system |
epss |
| scoring_elements |
0.96232 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.24581 |
| scoring_system |
epss |
| scoring_elements |
0.96234 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.24581 |
| scoring_system |
epss |
| scoring_elements |
0.96235 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2005-1519 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2005-1519
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qg7m-8cuw-h7fx |
|
| 89 |
| url |
VCID-qnfb-nqyv-17ar |
| vulnerability_id |
VCID-qnfb-nqyv-17ar |
| summary |
store.c in Squid 2.5.STABLE10 and earlier allows remote attackers to cause a denial of service (crash) via certain aborted requests that trigger an assert error related to STORE_PENDING. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2005-2794 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.12518 |
| scoring_system |
epss |
| scoring_elements |
0.94063 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.12518 |
| scoring_system |
epss |
| scoring_elements |
0.94071 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.12518 |
| scoring_system |
epss |
| scoring_elements |
0.9407 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.12518 |
| scoring_system |
epss |
| scoring_elements |
0.94072 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2005-2794 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2005-2794
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qnfb-nqyv-17ar |
|
| 90 |
|
| 91 |
| url |
VCID-r69g-yc8t-zua3 |
| vulnerability_id |
VCID-r69g-yc8t-zua3 |
| summary |
An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-18676 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01373 |
| scoring_system |
epss |
| scoring_elements |
0.80569 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.01373 |
| scoring_system |
epss |
| scoring_elements |
0.80595 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.01373 |
| scoring_system |
epss |
| scoring_elements |
0.80597 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01373 |
| scoring_system |
epss |
| scoring_elements |
0.80594 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-18676 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-18676
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r69g-yc8t-zua3 |
|
| 92 |
|
| 93 |
| url |
VCID-rnx4-ypsm-5fbq |
| vulnerability_id |
VCID-rnx4-ypsm-5fbq |
| summary |
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2014-7141 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.77333 |
| scoring_system |
epss |
| scoring_elements |
0.98997 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.77333 |
| scoring_system |
epss |
| scoring_elements |
0.98999 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.77333 |
| scoring_system |
epss |
| scoring_elements |
0.99001 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.77333 |
| scoring_system |
epss |
| scoring_elements |
0.99 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2014-7141 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2014-7141
|
| risk_score |
0.3 |
| exploitability |
0.5 |
| weighted_severity |
0.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rnx4-ypsm-5fbq |
|
| 94 |
| url |
VCID-ru9c-dnst-afck |
| vulnerability_id |
VCID-ru9c-dnst-afck |
| summary |
The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that trigger a memory allocation error. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2004-0918
|
| risk_score |
0.3 |
| exploitability |
0.5 |
| weighted_severity |
0.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ru9c-dnst-afck |
|
| 95 |
| url |
VCID-s2yj-54je-z3a6 |
| vulnerability_id |
VCID-s2yj-54je-z3a6 |
| summary |
An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-12523 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00557 |
| scoring_system |
epss |
| scoring_elements |
0.68551 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00557 |
| scoring_system |
epss |
| scoring_elements |
0.68592 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00557 |
| scoring_system |
epss |
| scoring_elements |
0.686 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00618 |
| scoring_system |
epss |
| scoring_elements |
0.7038 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-12523 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-12523
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s2yj-54je-z3a6 |
|
| 96 |
|
| 97 |
|
| 98 |
|
| 99 |
| url |
VCID-t7px-3uvt-a3hn |
| vulnerability_id |
VCID-t7px-3uvt-a3hn |
| summary |
HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values." |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2014-3609
|
| risk_score |
1.4 |
| exploitability |
2.0 |
| weighted_severity |
0.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t7px-3uvt-a3hn |
|
| 100 |
|
| 101 |
| url |
VCID-tngg-53p5-n3hc |
| vulnerability_id |
VCID-tngg-53p5-n3hc |
| summary |
squid/src/ftp.c in Squid before 2.6.STABLE7 allows remote FTP servers to cause a denial of service (core dump) via crafted FTP directory listing responses, possibly related to the (1) ftpListingFinish and (2) ftpHtmlifyListEntry functions. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2007-0247 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.43589 |
| scoring_system |
epss |
| scoring_elements |
0.97585 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.43589 |
| scoring_system |
epss |
| scoring_elements |
0.9759 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.43589 |
| scoring_system |
epss |
| scoring_elements |
0.97592 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.43589 |
| scoring_system |
epss |
| scoring_elements |
0.97591 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2007-0247 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2007-0247
|
| risk_score |
0.8 |
| exploitability |
2.0 |
| weighted_severity |
0.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tngg-53p5-n3hc |
|
| 102 |
| url |
VCID-tpkk-2gpk-yqg9 |
| vulnerability_id |
VCID-tpkk-2gpk-yqg9 |
| summary |
The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterprise Server 15 before and including version 4.8-5.8.1 and in SUSE Linux Enterprise Server 12 before and including 3.5.21-26.17.1 had squid:root, 0750 permissions. This allowed an attacker that compromissed the squid user to gain persistence by changing the binary |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-3688 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.1803 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.18111 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.18113 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.18074 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-3688 |
|
| 1 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-3688
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tpkk-2gpk-yqg9 |
|
| 103 |
| url |
VCID-tqfm-fsxd-4udg |
| vulnerability_id |
VCID-tqfm-fsxd-4udg |
| summary |
The htcpHandleTstRequest function in htcp.c in Squid 2.x before 2.6.STABLE24 and 2.7 before 2.7.STABLE8, and htcp.cc in 3.0 before 3.0.STABLE24, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted packets to the HTCP port. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2010-0639 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.49372 |
| scoring_system |
epss |
| scoring_elements |
0.97843 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.49372 |
| scoring_system |
epss |
| scoring_elements |
0.97847 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.49372 |
| scoring_system |
epss |
| scoring_elements |
0.97848 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.49372 |
| scoring_system |
epss |
| scoring_elements |
0.97849 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2010-0639 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2010-0639
|
| risk_score |
0.2 |
| exploitability |
0.5 |
| weighted_severity |
0.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tqfm-fsxd-4udg |
|
| 104 |
| url |
VCID-tr27-d4mz-yydt |
| vulnerability_id |
VCID-tr27-d4mz-yydt |
| summary |
Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a crafted HTTP response, related to Vary headers. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-3948
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tr27-d4mz-yydt |
|
| 105 |
| url |
VCID-ts68-9k9c-nbam |
| vulnerability_id |
VCID-ts68-9k9c-nbam |
| summary |
The clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2007-1560
|
| risk_score |
0.3 |
| exploitability |
0.5 |
| weighted_severity |
0.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ts68-9k9c-nbam |
|
| 106 |
| url |
VCID-tssg-ugfw-duhk |
| vulnerability_id |
VCID-tssg-ugfw-duhk |
| summary |
The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") character, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2004-0189 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02494 |
| scoring_system |
epss |
| scoring_elements |
0.85593 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.02494 |
| scoring_system |
epss |
| scoring_elements |
0.85615 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.02494 |
| scoring_system |
epss |
| scoring_elements |
0.8562 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.02494 |
| scoring_system |
epss |
| scoring_elements |
0.85617 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2004-0189 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2004-0189
|
| risk_score |
null |
| exploitability |
2.0 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tssg-ugfw-duhk |
|
| 107 |
|
| 108 |
| url |
VCID-u2fc-fqcr-rfgq |
| vulnerability_id |
VCID-u2fc-fqcr-rfgq |
| summary |
Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote attackers to cause a denial of service via malformed requests including (1) "missing or mismatched protocol identifier," (2) missing or negative status value," (3) "missing version," or (4) "missing or invalid status number," related to (a) HttpMsg.cc and (b) HttpReply.cc. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2009-2622 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.26189 |
| scoring_system |
epss |
| scoring_elements |
0.96395 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.26189 |
| scoring_system |
epss |
| scoring_elements |
0.964 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.26189 |
| scoring_system |
epss |
| scoring_elements |
0.96404 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.26189 |
| scoring_system |
epss |
| scoring_elements |
0.96405 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2009-2622 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-2622
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u2fc-fqcr-rfgq |
|
| 109 |
|
| 110 |
| url |
VCID-u9xe-qp75-j3by |
| vulnerability_id |
VCID-u9xe-qp75-j3by |
| summary |
An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-12529 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.17466 |
| scoring_system |
epss |
| scoring_elements |
0.95198 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.17466 |
| scoring_system |
epss |
| scoring_elements |
0.95205 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.17466 |
| scoring_system |
epss |
| scoring_elements |
0.95206 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.17466 |
| scoring_system |
epss |
| scoring_elements |
0.95208 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-12529 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-12529
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u9xe-qp75-j3by |
|
| 111 |
| url |
VCID-u9zn-mbvn-wqf6 |
| vulnerability_id |
VCID-u9zn-mbvn-wqf6 |
| summary |
Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0626 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00091 |
| scoring_system |
epss |
| scoring_elements |
0.25729 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00091 |
| scoring_system |
epss |
| scoring_elements |
0.25832 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00091 |
| scoring_system |
epss |
| scoring_elements |
0.25822 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00091 |
| scoring_system |
epss |
| scoring_elements |
0.25776 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2005-0626 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2005-0626
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u9zn-mbvn-wqf6 |
|
| 112 |
| url |
VCID-uusw-t2an-subt |
| vulnerability_id |
VCID-uusw-t2an-subt |
| summary |
The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2016-2390 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.21283 |
| scoring_system |
epss |
| scoring_elements |
0.9579 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.21283 |
| scoring_system |
epss |
| scoring_elements |
0.95794 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.21283 |
| scoring_system |
epss |
| scoring_elements |
0.95798 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.21283 |
| scoring_system |
epss |
| scoring_elements |
0.95799 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2016-2390 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-2390
|
| risk_score |
1.5 |
| exploitability |
0.5 |
| weighted_severity |
3.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uusw-t2an-subt |
|
| 113 |
|
| 114 |
| url |
VCID-vq4z-dh63-dqcr |
| vulnerability_id |
VCID-vq4z-dh63-dqcr |
| summary |
In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-46784 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.16362 |
| scoring_system |
epss |
| scoring_elements |
0.9498 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.16362 |
| scoring_system |
epss |
| scoring_elements |
0.94988 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.16362 |
| scoring_system |
epss |
| scoring_elements |
0.9499 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.16362 |
| scoring_system |
epss |
| scoring_elements |
0.94992 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-46784 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-46784
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vq4z-dh63-dqcr |
|
| 115 |
| url |
VCID-vtfj-m8fv-67fz |
| vulnerability_id |
VCID-vtfj-m8fv-67fz |
| summary |
The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-1000027
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
6.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vtfj-m8fv-67fz |
|
| 116 |
|
| 117 |
| url |
VCID-wg99-dwxv-f3ft |
| vulnerability_id |
VCID-wg99-dwxv-f3ft |
| summary |
The string-comparison functions in String.cci in Squid 3.x before 3.1.8 and 3.2.x before 3.2.0.2 allow remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2010-3072
|
| risk_score |
0.3 |
| exploitability |
0.5 |
| weighted_severity |
0.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wg99-dwxv-f3ft |
|
| 118 |
| url |
VCID-wgzx-2d4n-pub4 |
| vulnerability_id |
VCID-wgzx-2d4n-pub4 |
| summary |
Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-24606 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.06342 |
| scoring_system |
epss |
| scoring_elements |
0.91147 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.06342 |
| scoring_system |
epss |
| scoring_elements |
0.9116 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.06342 |
| scoring_system |
epss |
| scoring_elements |
0.91159 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.06342 |
| scoring_system |
epss |
| scoring_elements |
0.91157 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-24606 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-24606
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wgzx-2d4n-pub4 |
|
| 119 |
| url |
VCID-wjb2-xee7-r3aj |
| vulnerability_id |
VCID-wjb2-xee7-r3aj |
| summary |
The (1) ntlm_fetch_string and (2) ntlm_get_string functions in Squid 2.5.6 and earlier, with NTLM authentication enabled, allow remote attackers to cause a denial of service (application crash) via an NTLMSSP packet that causes a negative value to be passed to memcpy. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2004-0832 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.12288 |
| scoring_system |
epss |
| scoring_elements |
0.93994 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.12288 |
| scoring_system |
epss |
| scoring_elements |
0.94003 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.12288 |
| scoring_system |
epss |
| scoring_elements |
0.94002 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.12288 |
| scoring_system |
epss |
| scoring_elements |
0.94004 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2004-0832 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2004-0832
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wjb2-xee7-r3aj |
|
| 120 |
| url |
VCID-wjz5-fn94-vuay |
| vulnerability_id |
VCID-wjz5-fn94-vuay |
| summary |
The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and earlier allows remote FTP servers to cause a denial of service (segmentation fault) via certain "odd" responses. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2005-3258
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wjz5-fn94-vuay |
|
| 121 |
|
| 122 |
| url |
VCID-wsxk-va4y-1yej |
| vulnerability_id |
VCID-wsxk-va4y-1yej |
| summary |
The clientAbortBody function in client_side.c in Squid Web Proxy Cache before 2.6 STABLE6 allows remote attackers to cause a denial of service (segmentation fault) via unspecified vectors that trigger a null dereference. NOTE: in a followup advisory, a researcher claimed that the issue was a buffer overflow that was not fixed in STABLE6. However, the vendor's bug report clearly shows that the researcher later retracted this claim, because the tested product was actually STABLE5. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2004-2654 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00508 |
| scoring_system |
epss |
| scoring_elements |
0.66675 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00508 |
| scoring_system |
epss |
| scoring_elements |
0.66715 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00508 |
| scoring_system |
epss |
| scoring_elements |
0.66723 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00508 |
| scoring_system |
epss |
| scoring_elements |
0.66708 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2004-2654 |
|
| 2 |
|
|
| fixed_packages |
|
| aliases |
CVE-2004-2654
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wsxk-va4y-1yej |
|
| 123 |
|
| 124 |
| url |
VCID-x2zt-6c9e-xuck |
| vulnerability_id |
VCID-x2zt-6c9e-xuck |
| summary |
Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2015-3455
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x2zt-6c9e-xuck |
|
| 125 |
| url |
VCID-x6a1-9sht-uueb |
| vulnerability_id |
VCID-x6a1-9sht-uueb |
| summary |
client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge Side Includes (ESI) responses. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-4555
|
| risk_score |
1.5 |
| exploitability |
0.5 |
| weighted_severity |
3.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x6a1-9sht-uueb |
|
| 126 |
|
| 127 |
| url |
VCID-xrsk-4r8v-xqh2 |
| vulnerability_id |
VCID-xrsk-4r8v-xqh2 |
| summary |
The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error. NOTE: this issue is due to an incorrect fix for CVE-2007-6239. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2008-1612 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.13093 |
| scoring_system |
epss |
| scoring_elements |
0.94242 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.13093 |
| scoring_system |
epss |
| scoring_elements |
0.9425 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.13093 |
| scoring_system |
epss |
| scoring_elements |
0.94252 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.13093 |
| scoring_system |
epss |
| scoring_elements |
0.94253 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2008-1612 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-1612
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xrsk-4r8v-xqh2 |
|
| 128 |
| url |
VCID-xz37-ydtt-juh5 |
| vulnerability_id |
VCID-xz37-ydtt-juh5 |
| summary |
Squid 2.5.STABLE8 and earlier allows remote attackers to cause a denial of service (crash) via certain DNS responses regarding (1) Fully Qualified Domain Names (FQDN) in fqdncache.c or (2) IP addresses in ipcache.c, which trigger an assertion failure. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2005-0446
|
| risk_score |
0.3 |
| exploitability |
0.5 |
| weighted_severity |
0.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xz37-ydtt-juh5 |
|
| 129 |
| url |
VCID-xzre-8mk2-gyfa |
| vulnerability_id |
VCID-xzre-8mk2-gyfa |
| summary |
The NTLM component in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via a malformed NTLM type 3 message that triggers a NULL dereference. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2005-0097
|
| risk_score |
0.2 |
| exploitability |
0.5 |
| weighted_severity |
0.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xzre-8mk2-gyfa |
|
| 130 |
| url |
VCID-y8s6-9ezw-e7a2 |
| vulnerability_id |
VCID-y8s6-9ezw-e7a2 |
| summary |
Squid Web Proxy Cache 2.5 might allow remote attackers to obtain sensitive information via URLs containing invalid hostnames that cause DNS operations to fail, which results in references to previously used error messages. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2004-2479 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0103 |
| scoring_system |
epss |
| scoring_elements |
0.77663 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.0103 |
| scoring_system |
epss |
| scoring_elements |
0.7769 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.0103 |
| scoring_system |
epss |
| scoring_elements |
0.77698 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.0103 |
| scoring_system |
epss |
| scoring_elements |
0.77687 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2004-2479 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2004-2479
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y8s6-9ezw-e7a2 |
|
| 131 |
|
| 132 |
|
| 133 |
| url |
VCID-z9fz-nr3a-vqar |
| vulnerability_id |
VCID-z9fz-nr3a-vqar |
| summary |
Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of service (assertion failure and daemon exit) via a long string, as demonstrated by a crafted HTTP Vary header. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-2569
|
| risk_score |
0.3 |
| exploitability |
0.5 |
| weighted_severity |
0.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z9fz-nr3a-vqar |
|
| 134 |
| url |
VCID-z9sc-3ube-abaq |
| vulnerability_id |
VCID-z9sc-3ube-abaq |
| summary |
Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2004-0541 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.76951 |
| scoring_system |
epss |
| scoring_elements |
0.98977 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.76951 |
| scoring_system |
epss |
| scoring_elements |
0.98978 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.76951 |
| scoring_system |
epss |
| scoring_elements |
0.9898 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.76951 |
| scoring_system |
epss |
| scoring_elements |
0.98979 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2004-0541 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2004-0541
|
| risk_score |
1.4 |
| exploitability |
2.0 |
| weighted_severity |
0.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z9sc-3ube-abaq |
|
| 135 |
| url |
VCID-ze1z-qhyc-8ygm |
| vulnerability_id |
VCID-ze1z-qhyc-8ygm |
| summary |
An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-12525
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ze1z-qhyc-8ygm |
|
| 136 |
| url |
VCID-zq3z-pce4-5udp |
| vulnerability_id |
VCID-zq3z-pce4-5udp |
| summary |
Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2013-4115
|
| risk_score |
0.3 |
| exploitability |
0.5 |
| weighted_severity |
0.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zq3z-pce4-5udp |
|
| 137 |
| url |
VCID-ztr3-ygr2-ffbf |
| vulnerability_id |
VCID-ztr3-ygr2-ffbf |
| summary |
http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-2572
|
| risk_score |
0.1 |
| exploitability |
0.5 |
| weighted_severity |
0.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ztr3-ygr2-ffbf |
|