Package impact
MAVEN / io.netty:netty-codec-http
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-42581 | critical | 9.8 | 9.8 | 15d ago | Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization | |
| CVE-2026-42584 | critical | 9.1 | 9.1 | 15d ago | Netty has HttpClientCodec response desynchronization | |
| CVE-2026-42587 | high | 7.5 | 7.5 | 15d ago | Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS | |
| CVE-2026-42585 | high | 7.5 | 7.5 | 15d ago | Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding | |
| CVE-2026-42580 | medium | 6.5 | 6.5 | 15d ago | Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing | |
| CVE-2026-41417 | medium | 5.3 | 5.3 | 22d ago | Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection |