Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4590 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4590-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Lucas Kanashiro     May 18, 2026                                  https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : erlang     Version        : 1:23.2.6+dfsg-1+deb11u4     CVE ID         : CVE-2026-21620 CVE-2026-23941 CVE-2026-23942 CVE-2026-23943     Debian Bug     : 1128651 1130912

    Multiple vulnerabilities were discoverd in Erlang, a concurrent, real-time,     distributed functional language.

    CVE-2026-21620

        Insufficient path sanitizing in tftp_file module.

    CVE-2026-23941

        Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')         vulnerability in Erlang OTP (inets httpd module) allows HTTP Request         Smuggling.

    CVE-2026-23942

        Improper Limitation of a Pathname to a Restricted Directory ('Path         Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path         Traversal.

    CVE-2026-23943

        Improper Handling of Highly Compressed Data (Compression Bomb)         vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of         Service via Resource Depletion.

    For Debian 11 bullseye, these problems have been fixed in version     1:23.2.6+dfsg-1+deb11u4.

    We recommend that you upgrade your erlang packages.

    For the detailed security status of erlang please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/erlang

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1714-1 advisory.

    - CVE-2026-21620: remote arbitrary read/write via TFTP relative path traversal (bsc#1258663).
    - CVE-2026-23941: HTTP Request Smuggling in Erlang OTP (bsc#1259687).
    - CVE-2026-23942: path traversal vulnerability in Erlang OTP (bsc#1259681).
    - CVE-2026-23943: denial of service due to improper handling of highly compressed data in Erlang OTP ssh     (bsc#1259682).
    - CVE-2026-28808: incorrect authorization can lead to unauthenticated access to protected CGI scripts     (bsc#1261728).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the erlang package has been released.

The version of the Tenable Identity Exposure running on the remote host is prior to 3.77.17. It is, therefore, affected by multiple vulnerabilities according to advisory TNS-2026-11:

  - A flaw in Node.js's Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write`     restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted     access only to the current directory can escape the allowed path and read sensitive files. This breaks the     expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
    This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. (CVE-2025-55130)

  - Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
    (CVE-2026-21262)

  - Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate     privileges over a network. (CVE-2026-26115)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20607-1 advisory.

    Security issues fixed:

    - CVE-2026-21620: improper isolation and compartmentalization can lead to TFTP relative path traversal and     remote       arbitrary reads/writes (bsc#1258663).
    - CVE-2026-23941: improper handling of duplicate Content-Length headers in Erlang OTP can lead to HTTP     request       smuggling (bsc#1259687).
    - CVE-2026-23942: improper limitation of a pathname to a restricted directory in the SFTP server can lead     to path       traversal (bsc#1259681).
    - CVE-2026-23943: improper handling of highly compressed data in Erlang OTP ssh can lead to denial of     service       (bsc#1259682).
    - CVE-2026-28808: incorrect authorization can lead to unauthenticated access to protected CGI scripts     (bsc#1261728).
    - CVE-2026-28810: predictable DNS transaction IDs can lead to DNS cache poisoning (bsc#1261726).
    - CVE-2026-32144: missing signature verification can lead to OCSP authorization bypass and information     disclosure       (bsc#1261734).

    Other updates and bugfixes:

    - jinterface: allow to build determenistic OtpErlang.jar (bsc#1262288).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of the Tenable Identity Exposure running on the remote host is prior to 3.77.17. It is, therefore, affected by multiple vulnerabilities according to advisory TNS-2026-11:

  - A flaw in Node.js's Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write     restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script     granted access only to the current directory can escape the allowed path and read sensitive files. This     breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential     system compromise. (CVE-2025-55130)

  - Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate     privileges over a network. (CVE-2026-26115)

  - Improper access control in Curl allows an authorized attacker to elevate privileges over a network.
    (CVE-2026-21262)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets     httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files     lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server     does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request     is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-     Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving     attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0     until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3     and 9.1.0.5. (CVE-2026-23941)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
315240	Debian dla-4590 : erlang - security update	Nessus	Debian Local Security Checks	high
313669	SUSE SLES15 Security Update : erlang (SUSE-SU-2026:1714-1)	Nessus	SuSE Local Security Checks	high
312353	Photon OS 5.0: Erlang PHSA-2026-5.0-0831	Nessus	PhotonOS Local Security Checks	high
312351	Photon OS 4.0: Erlang PHSA-2026-4.0-1005	Nessus	PhotonOS Local Security Checks	high
310403	Tenable Identity Exposure < 3.77.17 Multiple Vulnerabilities (TNS-2026-11)	Nessus	Misc.	high
310082	openSUSE 16 Security Update : erlang (openSUSE-SU-2026:20607-1)	Nessus	SuSE Local Security Checks	high
307436	Tenable Identity Exposure < 3.77.17 Multiple Vulnerabilities (TNS-2026-11)	Nessus	Misc.	high
302363	Linux Distros Unpatched Vulnerability : CVE-2026-23941	Nessus	Misc.	high

Detections

Analytics

CVE-2026-23941

high

Tenable Plugins

high

high

high

high

high

high

high

high