AikidoSec · sampion88 · Mar 5, 2026
diff --git a/input/new.json b/input/new.json
@@ -1,15 +1,24 @@
 {
-  "package_name": "",
-  "patch_versions": [],
-  "vulnerable_ranges": [],
-  "cwe": [],
-  "tldr": "",
-  "doest_this_affect_me": "",
-  "how_to_fix": "",
-  "vulnerable_to": "",
-  "related_cve_id": "",
-  "language": "",
-  "severity_class": "",
-  "aikido_score": 0,
-  "changelog": ""
+  "package_name": "pingora-core",
+  "patch_versions": [
+    "0.8.0"
+  ],
+  "vulnerable_ranges": [
+    [
+      "0.1.0",
+      "0.7.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-444"
+  ],
+  "tldr": "Affected versions of this package are vulnerable to HTTP request smuggling. When handling HTTP/1.1 requests containing an `Upgrade` header, the proxy may forward remaining connection bytes to the backend before the backend has accepted the upgrade. An attacker can exploit this behavior to append a malicious payload after the initial request, which the backend may interpret as a subsequent request. This may allow attackers to bypass proxy-level security controls, poison upstream connections or caches, and potentially perform cross-user session hijacking.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `pingora-core` library to the patch version.",
+  "vulnerable_to": "HTTP Request/Response Smuggling",
+  "related_cve_id": "CVE-2026-2833",
+  "language": "RUST",
+  "severity_class": "CRITICAL",
+  "aikido_score": 93,
+  "changelog": "https://rustsec.org/advisories/RUSTSEC-2026-0033.html"
 }