CVE-2026-34475: Varnish Cache: Varnish Cache and Varnish Enterprise: Cache poisoning and authentication bypass via unchecked URL handling

Severity: Critical

CVSS Score: 9.8

Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.