Vulnerability in Traefik

CVE-2026-29777

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query paramete…

EPSS: 0.000 (4.6th percentile) — read the EPSS interpretation.

Affected products

Traefik — versions < 3.6.10

Weakness classification (CWE)

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

References

https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj (x_refsource_CONFIRM)
https://github.com/traefik/traefik/releases/tag/v3.6.10 (x_refsource_MISC)