cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_…

CVE-2026-28435 affects cpp-httplib, a C++11 HTTP/HTTPS library, prior to version 0.35.0. The vulnerability allows bypass of Server::set_payload_max_length() limits on decompressed request bodies when using HandlerWithContentReader with Content-Encoding like gzip. Attackers can send small compressed payloads that expand beyond configured limits, potentially causing denial of service through CPU and memory exhaustion. The issue occurs because payload size limits are not enforced on decompressed content in streaming scenarios. This vulnerability is fixed in version 0.35.0.