Home / Vulnerability Intelligence / CVE-2026-27959

CVE-2026-27959 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: February 28, 2026

Koa - Host Header Injection

Published: February 26, 2026Updated: February 28, 2026PoC AvailableRemote Exploitable

Overview

Koa < 3.1.2 and < 2.16.4 contain a host header injection caused by naive parsing of HTTP Host header in ctx.hostname API, letting attackers inject attacker-controlled hostnames, exploit requires sending malformed Host header.

Severity & Score

Severity: High

CVSS Score: 7.5

EPSS Score: 5.4%(Probability of exploitation in next 30 days)

Impact

Attackers can inject arbitrary hostnames, potentially leading to phishing, URL spoofing, or bypassing security checks.

Mitigation

Upgrade to versions 3.1.2 or 2.16.4 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 26, 2026

🟠 CVE-2026-27959 - High (7.5) Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conf... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27959/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27959
Severity: High
CVSS Score: 7.5
Type: host_header_injection
Status: confirmed
EPSS: 5.4%
Social Posts: 1

CWE

CWE-20
NVD-CWE-noinfo

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score

5.4%Probability of exploitation in the next 30 days