CVEFinder.io

CVE-2022-39348

🔶 medium
🔍 Scan for this CVE
Summary

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue wa

Description

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

CVSS Score
5.4
Medium
EPSS Score
1.2
Exploit Probability
Published Date
2022-10-26
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 22.8% of all 328,009 vulnerabilities in our database.

#253,218
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Apr 22, 2025
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2025-11-03
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE IDs (Weakness Types)
CWE-79 CWE-80

📦 Affected Products 2

Vendor Product Status Affected Versions
debian debian_linux Affected
v10.0
twisted twisted Affected
≥ 0.9.4 < 22.10.0

🔗 References 6

https://github.com/twisted/twisted/commit/f2f5e81c03...
Patch
https://github.com/twisted/twisted/commit/f49041bb67...
Patch
https://github.com/twisted/twisted/security/advisori...
Exploit Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11...
Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202301-02
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/11...

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-49975 ⚠️ high 7.5 1.3 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service vi... 2026-06-08
CVE-2026-42304 ⚠️ high 7.5 0.0 Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.n... 2026-05-13
CVE-2026-31431 ⚠️ high 7.8 2.2 In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-pla... 2026-04-22
CVE-2026-4775 ⚠️ high 7.8 0.3 A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the ... 2026-03-24
CVE-2026-1940 🔶 medium 5.1 0.0 An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added... 2026-03-23
CVE-2025-63261 ⚠️ high 7.8 0.1 AWStats 8.0 is vulnerable to Command Injection via the open function 2026-03-20
These CVEs affect the same products