{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T23:13:14.464","vulnerabilities":[{"cve":{"id":"CVE-2026-32881","sourceIdentifier":"security-advisories@github.com","published":"2026-03-20T02:16:36.237","lastModified":"2026-03-23T17:03:15.093","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names.  A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5."},{"lang":"es","value":"ewe es un servidor web Gleam. ewe es un servidor web Gleam. Las versiones 0.6.0 a 3.0.4 son vulnerables a la omisión de autenticación o a encabezados de confianza de proxy falsificados. El manejo de trailers de codificación de transferencia por bloques fusiona los campos de trailer declarados en req.headers después del análisis del cuerpo, pero la lista de denegación solo bloquea 9 nombres de encabezado. Un cliente malicioso puede explotar esto declarando estos encabezados en el campo Trailer y añadiéndolos después del último bloque, lo que hace que request.set_header sobrescriba valores legítimos (por ejemplo, los establecidos por un proxy inverso). Esto permite a los atacantes falsificar credenciales de autenticación, secuestrar sesiones, omitir la limitación de velocidad basada en IP o falsificar encabezados de confianza de proxy en cualquier middleware posterior que lea los encabezados después de que se llame a ewe.read_body. Este problema ha sido solucionado en la versión 3.0.5."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-183"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*","versionEndExcluding":"3.0.5","matchCriteriaId":"D14F72FF-5C22-4D38-A4A3-43EC2FCF386D"}]}]}],"references":[{"url":"https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5","source":"security-advisories@github.com","tags":["Patch","Product"]},{"url":"https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}