CVE-2026-47692
🔶 mediumSummary
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
CVSS Score
4.8
Medium
EPSS Score
-
Published Date
2026-06-26
First Seen: 2026-06-27
📊 Relative Risk Intelligence
This CVE is Lower Risk - more severe than 13.8% of all 330,193 vulnerabilities in our database.
#284,724
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jun 26, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by
CISA
Last Modified
2026-06-26
Source
NVD 🔗
CVSS Vector 3.1
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
CWE IDs (Weakness Types)