Httpclient
This hub aggregates every CVE we track for Httpclient, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
11
CVEs tracked
1
Critical
3
High
0
In CISA KEV
Severity distribution
MEDIUM6HIGH3LOW1CRITICAL1
Monthly trend
0
0
0
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
2024-082026-07
Latest CVEs
The 11 most recently published vulnerabilities affecting Httpclient.
- CVE-2026-40542Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification7.3
- CVE-2025-27820Apache HttpComponents: PSL (Public Suffix List) validation bypass7.5
- CVE-2024-50342Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client3.1
- CVE-2020-13956Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target ho...5.3
- CVE-2020-15094RCE in Symfony8.0
- CVE-2013-4366http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors ...9.8
- CVE-2015-5262http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote att...4.3
- CVE-2012-6153http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAlt...4.3
- CVE-2014-3577org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name i...5.8
- CVE-2012-5783Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject'...5.8
- CVE-2011-1498Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web server...4.3
Product normalization is registry-driven with AI assist and human review. How it works