{"api_version":"1","generated_at":"2026-07-03T07:04:21+00:00","cve":"CVE-2006-2786","urls":{"html":"https://cve.report/CVE-2006-2786","api":"https://cve.report/api/cve/CVE-2006-2786.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2006-2786","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2006-2786"},"summary":{"title":"CVE-2006-2786","description":"HTTP response smuggling vulnerability in Mozilla Firefox and Thunderbird before 1.5.0.4, when used with certain proxy servers, allows remote attackers to cause Firefox to interpret certain responses as if they were responses from two different sites via (1) invalid HTTP response headers with spaces between the header name and the colon, which might not be ignored in some cases, or (2) HTTP 1.1 headers through an HTTP 1.0 proxy, which are ignored by the proxy but processed by the client.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2006-06-02 20:02:00","updated_at":"2018-10-18 16:42:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"http://www.vupen.com/english/advisories/2006/2106","name":"ADV-2006-2106","refsource":"VUPEN","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.gentoo.org/security/en/glsa/glsa-200606-12.xml","name":"GLSA-200606-12","refsource":"GENTOO","tags":[],"title":"Gentoo Linux Documentation\n--\n  Mozilla Firefox: Multiple vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2006-0609.html","name":"RHSA-2006:0609","refsource":"REDHAT","tags":[],"title":"rhn.redhat.com | Red Hat Support","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/446658/100/200/threaded","name":"SSRT061181","refsource":"HP","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.novell.com/linux/security/advisories/2006_35_mozilla.html","name":"SUSE-SA:2006:035","refsource":"SUSE","tags":[],"title":"Security Announcement","mime":"text/html","httpstatus":"404","archivestatus":"200"},{"url":"http://secunia.com/advisories/21324","name":"21324","refsource":"SECUNIA","tags":[],"title":"Debian update for mozilla-thunderbird - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/296-1/","name":"USN-296-1","refsource":"UBUNTU","tags":[],"title":"USN-296-1: firefox vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/22066","name":"22066","refsource":"SECUNIA","tags":[],"title":"HP-UX update for firefox - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26844","name":"mozilla-http-response-smuggling(26844)","refsource":"XF","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/446657/100/200/threaded","name":"SSRT061236","refsource":"HP","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/20376","name":"20376","refsource":"SECUNIA","tags":[],"title":"Firefox Multiple Vulnerabilities - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.debian.org/security/2006/dsa-1134","name":"DSA-1134","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-1134-1 mozilla-thunderbird","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://securitytracker.com/id?1016202","name":"1016202","refsource":"SECTRACK","tags":[],"title":"SecurityTracker.com Archives - Mozilla Firefox Bugs Permit Arbitrary Code Execution, Cross-Site Scripting, and HTTP Response Smuggling","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.redhat.com/support/errata/RHSA-2006-0611.html","name":"RHSA-2006:0611","refsource":"REDHAT","tags":[],"title":"rhn.redhat.com | Red Hat Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.gentoo.org/security/en/glsa/glsa-200606-21.xml","name":"GLSA-200606-21","refsource":"GENTOO","tags":[],"title":"Gentoo Linux Documentation\n--\n  Mozilla Thunderbird: Multiple vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.mandriva.com/security/advisories?name=MDKSA-2006:143","name":"MDKSA-2006:143","refsource":"MANDRIVA","tags":[],"title":"Advisories - Mandriva Linux","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.debian.org/security/2006/dsa-1118","name":"DSA-1118","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-1118-1 mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/21336","name":"21336","refsource":"SECUNIA","tags":[],"title":"Red Hat update for seamonkey - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/20382","name":"20382","refsource":"SECUNIA","tags":[],"title":"Thunderbird Multiple Vulnerabilities - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/435795/100/0/threaded","name":"20060602 rPSA-2006-0091-1 firefox thunderbird","refsource":"BUGTRAQ","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.vupen.com/english/advisories/2008/0083","name":"ADV-2008-0083","refsource":"VUPEN","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.redhat.com/support/errata/RHSA-2006-0578.html","name":"RHSA-2006:0578","refsource":"REDHAT","tags":[],"title":"rhn.redhat.com | Red Hat Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/297-1/","name":"USN-297-1","refsource":"UBUNTU","tags":[],"title":"USN-297-1: Thunderbird vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/21183","name":"21183","refsource":"SECUNIA","tags":[],"title":"Debian update for mozilla - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/21532","name":"21532","refsource":"SECUNIA","tags":[],"title":"Mandriva update for mozilla-firefox - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.vupen.com/english/advisories/2006/3748","name":"ADV-2006-3748","refsource":"VUPEN","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.debian.org/security/2006/dsa-1120","name":"DSA-1120","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-1120-1 mozilla-firefox","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/323-1/","name":"USN-323-1","refsource":"UBUNTU","tags":[],"title":"USN-323-1: mozilla vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://securitytracker.com/id?1016214","name":"1016214","refsource":"SECTRACK","tags":[],"title":"SecurityTracker.com Archives - Mozilla Thunderbird Bugs Permit Arbitrary Code Execution, Cross-Site Scripting, and HTTP Response Smuggling","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9966","name":"oval:org.mitre.oval:def:9966","refsource":"OVAL","tags":[],"title":"Repository  /  Oval Repository","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.redhat.com/support/errata/RHSA-2006-0610.html","name":"RHSA-2006:0610","refsource":"REDHAT","tags":[],"title":"rhn.redhat.com | Red Hat Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.mozilla.org/security/announce/2006/mfsa2006-33.html","name":"http://www.mozilla.org/security/announce/2006/mfsa2006-33.html","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"MFSA 2006-33: HTTP response smuggling","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.redhat.com/support/errata/RHSA-2006-0594.html","name":"RHSA-2006:0594","refsource":"REDHAT","tags":[],"title":"rhn.redhat.com | Red Hat Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/21176","name":"21176","refsource":"SECUNIA","tags":[],"title":"Debian update for mozilla-firefox - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/18228","name":"18228","refsource":"BID","tags":[],"title":"Mozilla Firefox, SeaMonkey, Camino, and Thunderbird Multiple Remote Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://secunia.com/advisories/22065","name":"22065","refsource":"SECUNIA","tags":[],"title":"HP-UX update for thunderbird - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/20709","name":"20709","refsource":"SECUNIA","tags":[],"title":"Gentoo update for mozilla-thunderbird - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.mandriva.com/security/advisories?name=MDKSA-2006:145","name":"MDKSA-2006:145","refsource":"MANDRIVA","tags":[],"title":"Advisories - Mandriva Linux","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/21188","name":"21188","refsource":"SECUNIA","tags":[],"title":"Ubuntu update for firefox - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/21631","name":"21631","refsource":"SECUNIA","tags":[],"title":"Red Hat update for seamonkey - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/296-2/","name":"USN-296-2","refsource":"UBUNTU","tags":[],"title":"USN-296-2: Firefox vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.vupen.com/english/advisories/2006/3749","name":"ADV-2006-3749","refsource":"VUPEN","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"503"},{"url":"http://secunia.com/advisories/21269","name":"21269","refsource":"SECUNIA","tags":[],"title":"Red Hat update for thunderbird - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/20561","name":"20561","refsource":"SECUNIA","tags":[],"title":"Gentoo update for firefox - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/21270","name":"21270","refsource":"SECUNIA","tags":[],"title":"Red Hat update for firefox - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/21178","name":"21178","refsource":"SECUNIA","tags":[],"title":"Ubuntu update for mozilla - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/21134","name":"21134","refsource":"SECUNIA","tags":[],"title":"Red Hat update for seamonkey - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2006-2786","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-2786","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2006","cve_id":"2786","vulnerable":"1","versionEndIncluding":"1.5.0.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2006","cve_id":"2786","vulnerable":"1","versionEndIncluding":"1.5.0.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2006-2786","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"HTTP response smuggling vulnerability in Mozilla Firefox and Thunderbird before 1.5.0.4, when used with certain proxy servers, allows remote attackers to cause Firefox to interpret certain responses as if they were responses from two different sites via (1) invalid HTTP response headers with spaces between the header name and the colon, which might not be ignored in some cases, or (2) HTTP 1.1 headers through an HTTP 1.0 proxy, which are ignored by the proxy but processed by the client."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"20709","refsource":"SECUNIA","url":"http://secunia.com/advisories/20709"},{"name":"21176","refsource":"SECUNIA","url":"http://secunia.com/advisories/21176"},{"name":"MDKSA-2006:145","refsource":"MANDRIVA","url":"http://www.mandriva.com/security/advisories?name=MDKSA-2006:145"},{"name":"ADV-2006-3748","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2006/3748"},{"name":"USN-296-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/296-1/"},{"name":"mozilla-http-response-smuggling(26844)","refsource":"XF","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26844"},{"name":"USN-323-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/323-1/"},{"name":"20561","refsource":"SECUNIA","url":"http://secunia.com/advisories/20561"},{"name":"oval:org.mitre.oval:def:9966","refsource":"OVAL","url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9966"},{"name":"RHSA-2006:0594","refsource":"REDHAT","url":"http://www.redhat.com/support/errata/RHSA-2006-0594.html"},{"name":"21336","refsource":"SECUNIA","url":"http://secunia.com/advisories/21336"},{"name":"20382","refsource":"SECUNIA","url":"http://secunia.com/advisories/20382"},{"name":"1016214","refsource":"SECTRACK","url":"http://securitytracker.com/id?1016214"},{"name":"20060602 rPSA-2006-0091-1 firefox thunderbird","refsource":"BUGTRAQ","url":"http://www.securityfocus.com/archive/1/435795/100/0/threaded"},{"name":"ADV-2006-3749","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2006/3749"},{"name":"RHSA-2006:0610","refsource":"REDHAT","url":"http://www.redhat.com/support/errata/RHSA-2006-0610.html"},{"name":"20376","refsource":"SECUNIA","url":"http://secunia.com/advisories/20376"},{"name":"RHSA-2006:0609","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2006-0609.html"},{"name":"21178","refsource":"SECUNIA","url":"http://secunia.com/advisories/21178"},{"name":"1016202","refsource":"SECTRACK","url":"http://securitytracker.com/id?1016202"},{"name":"18228","refsource":"BID","url":"http://www.securityfocus.com/bid/18228"},{"name":"21532","refsource":"SECUNIA","url":"http://secunia.com/advisories/21532"},{"name":"21270","refsource":"SECUNIA","url":"http://secunia.com/advisories/21270"},{"name":"ADV-2008-0083","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2008/0083"},{"name":"21188","refsource":"SECUNIA","url":"http://secunia.com/advisories/21188"},{"name":"21134","refsource":"SECUNIA","url":"http://secunia.com/advisories/21134"},{"name":"21631","refsource":"SECUNIA","url":"http://secunia.com/advisories/21631"},{"name":"SSRT061181","refsource":"HP","url":"http://www.securityfocus.com/archive/1/446658/100/200/threaded"},{"name":"SSRT061236","refsource":"HP","url":"http://www.securityfocus.com/archive/1/446657/100/200/threaded"},{"name":"USN-296-2","refsource":"UBUNTU","url":"https://usn.ubuntu.com/296-2/"},{"name":"GLSA-200606-21","refsource":"GENTOO","url":"http://www.gentoo.org/security/en/glsa/glsa-200606-21.xml"},{"name":"DSA-1118","refsource":"DEBIAN","url":"http://www.debian.org/security/2006/dsa-1118"},{"name":"HPSBUX02153","refsource":"HP","url":"http://www.securityfocus.com/archive/1/446658/100/200/threaded"},{"name":"DSA-1120","refsource":"DEBIAN","url":"http://www.debian.org/security/2006/dsa-1120"},{"name":"RHSA-2006:0611","refsource":"REDHAT","url":"http://www.redhat.com/support/errata/RHSA-2006-0611.html"},{"name":"HPSBUX02156","refsource":"HP","url":"http://www.securityfocus.com/archive/1/446657/100/200/threaded"},{"name":"DSA-1134","refsource":"DEBIAN","url":"http://www.debian.org/security/2006/dsa-1134"},{"name":"GLSA-200606-12","refsource":"GENTOO","url":"http://www.gentoo.org/security/en/glsa/glsa-200606-12.xml"},{"name":"21324","refsource":"SECUNIA","url":"http://secunia.com/advisories/21324"},{"name":"21183","refsource":"SECUNIA","url":"http://secunia.com/advisories/21183"},{"name":"22066","refsource":"SECUNIA","url":"http://secunia.com/advisories/22066"},{"name":"21269","refsource":"SECUNIA","url":"http://secunia.com/advisories/21269"},{"name":"SUSE-SA:2006:035","refsource":"SUSE","url":"http://www.novell.com/linux/security/advisories/2006_35_mozilla.html"},{"name":"http://www.mozilla.org/security/announce/2006/mfsa2006-33.html","refsource":"CONFIRM","url":"http://www.mozilla.org/security/announce/2006/mfsa2006-33.html"},{"name":"USN-297-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/297-1/"},{"name":"RHSA-2006:0578","refsource":"REDHAT","url":"http://www.redhat.com/support/errata/RHSA-2006-0578.html"},{"name":"ADV-2006-2106","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2006/2106"},{"name":"MDKSA-2006:143","refsource":"MANDRIVA","url":"http://www.mandriva.com/security/advisories?name=MDKSA-2006:143"},{"name":"22065","refsource":"SECUNIA","url":"http://secunia.com/advisories/22065"}]}},"nvd":{"publishedDate":"2006-06-02 20:02:00","lastModifiedDate":"2018-10-18 16:42:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":2.6},"severity":"LOW","exploitabilityScore":4.9,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndIncluding":"1.5.0.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndIncluding":"1.5.0.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2006","CveId":"2786","Ordinal":"18106","Title":"CVE-2006-2786","CVE":"CVE-2006-2786","Year":"2006"},"notes":[{"CveYear":"2006","CveId":"2786","Ordinal":"1","NoteData":"HTTP response smuggling vulnerability in Mozilla Firefox and Thunderbird before 1.5.0.4, when used with certain proxy servers, allows remote attackers to cause Firefox to interpret certain responses as if they were responses from two different sites via (1) invalid HTTP response headers with spaces between the header name and the colon, which might not be ignored in some cases, or (2) HTTP 1.1 headers through an HTTP 1.0 proxy, which are ignored by the proxy but processed by the client.","Type":"Description","Title":null},{"CveYear":"2006","CveId":"2786","Ordinal":"2","NoteData":"2006-06-02","Type":"Other","Title":"Published"},{"CveYear":"2006","CveId":"2786","Ordinal":"3","NoteData":"2018-10-18","Type":"Other","Title":"Modified"}]}}}