Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi. CREATE(Triage):(User=admin) [CVE-2019-18860|https://nvd.nist.gov/vuln/detail/CVE-2019-18860]