Varnish-software Varnish Enterprise — known CVE vulnerabilities
Every CVE whose affected-product data names Varnish-software Varnish Enterprise, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (6)
CVE-2023-41104 — CVSS 6.5 (medium): libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access during base64…
CVE-2025-30346 — CVSS 5.4 (medium): Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
CVE-2026-34475 — CVSS 5.4 (medium): Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of /…
CVE-2025-30347 — CVSS 4.0 (medium): Varnish Enterprise before 6.0.13r13 allows remote attackers to obtain sensitive information via an out-of-bounds read for range requests on…
CVE-2026-40394 — CVSS 4.0 (medium): Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for…
CVE-2026-40395 — CVSS 4.0 (medium): Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The…