Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

CVE-2026-43870 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2026-43870

CVE-2026-43870

HIGH7.3

Apache Thrift: Node.js web_server.js multi-vulnerability

Published May 5, 2026

Modified 1 weeks ago

Details

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

http://www.openwall.com/lists/oss-security/2026/05/05/4

https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy

https://www.cve.org/CVERecord?id=CVE-2026-43870

CVSS Analysis

CVSS v3.1

7.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

LowA:L

7.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Weakness Type (CWE)

Input Validation

HTTP Response Splitting

Other

Resource Management

Resource Exhaustion

Ecosystems

Timeline

PublishedMay 5, 2026

ModifiedMay 6, 2026