CVE-2026-44974
Description
@hapi/content provided HTTP Content-* headers parsing. Prior to 6.0.2, Content.disposition() retained the last occurrence of each duplicate parameter while Content.type() retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another component in the request-processing chain resolves duplicates the opposite way. This can allow an upload filename allowlist bypass in headers such as Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php". This issue is fixed in version 6.0.2.
Is your site exposed to CVE-2026-44974?
Run a free security scan — no signup, results in seconds.
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-44974? +
How do I check if I'm vulnerable to CVE-2026-44974? +
Related Vulnerabilities
When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as …
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded …
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host …
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule …
uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were …
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml …