waitress is vulnerable HTTP request smuggling. The vulnerability exists as waitress would fold a double Content-Length header twice into a comma separated value, which then causes the value of Content-Length to be set to 0 when it tries to cast a comma-separated value to an integer. The body of the HTTP request is subsequently treated as a new HTTP request.
docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65
github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
lists.debian.org/debian-lts-announce/2022/05/msg00011.html
www.oracle.com/security-alerts/cpuapr2022.html