Varnish Cache Project Varnish Cache — known CVE vulnerabilities
Every CVE whose affected-product data names Varnish Cache Project Varnish Cache, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (14)
CVE-2017-8807 — CVSS 9.1 (critical): vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cache 4.1.x before 4.1.9 and 5.x before 5.2.1 allows remote attackers to…
CVE-2022-23959 — CVSS 9.1 (critical): In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x…
CVE-2015-8852 — CVSS 7.5 (high): Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct…
CVE-2017-12425 — CVSS 7.5 (high): An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if…
CVE-2019-15892 — CVSS 7.5 (high): An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote…
CVE-2022-45059 — CVSS 7.5 (high): An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish…
CVE-2022-45060 — CVSS 7.5 (high): An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An…
CVE-2022-38150 — CVSS 7.5 (high): In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through…
CVE-2021-36740 — CVSS 6.5 (medium): Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST…
CVE-2025-30346 — CVSS 5.4 (medium): Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
CVE-2013-4484 — CVSS 5.0 (medium): Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET…
CVE-2013-0345 — CVSS 2.1 (low): varnish 3.0.3 uses world-readable permissions for the /var/log/varnish/ directory and the log files in the directory, which allows local…