diff --git a/httpd-2.4.37-CVE-2026-28780.patch b/httpd-2.4.37-CVE-2026-28780.patch
new file mode 100644
index 0000000..2ad495b
--- /dev/null
+++ b/httpd-2.4.37-CVE-2026-28780.patch
@@ -0,0 +1,33 @@
+From d04119e6e591f7b21222e749387a8b39e9092a1b Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Sun, 26 Apr 2026 15:57:55 +0000
+Subject: [PATCH] Merge r1933347 from trunk:
+
+fix ajp_msg_check_header check
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933348 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/ajp_msg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
+index 3d4186a521c..3454f621828 100644
+--- a/modules/proxy/ajp_msg.c
++++ b/modules/proxy/ajp_msg.c
+@@ -166,11 +166,11 @@ apr_status_t ajp_msg_check_header(ajp_msg_t *msg, apr_size_t *len)
+     msglen  = ((head[2] & 0xff) << 8);
+     msglen += (head[3] & 0xFF);
+ 
+-    if (msglen > msg->max_size) {
++    if (msglen > (msg->max_size - AJP_HEADER_LEN)) {
+         ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(01081)
+                      "ajp_msg_check_header() incoming message is "
+                      "too big %" APR_SIZE_T_FMT ", max is %" APR_SIZE_T_FMT,
+-                     msglen, msg->max_size);
++                     msglen, msg->max_size - AJP_HEADER_LEN);
+         return AJP_ETOBIG;
+     }
+ 
+
diff --git a/httpd.spec b/httpd.spec
index c709360..1653e55 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -14,7 +14,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 65%{?dist}.7
+Release: 65%{?dist}.8
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@@ -299,6 +299,8 @@ Patch252: httpd-2.4.37-CVE-2025-66200.patch
 Patch253: httpd-2.4.37-CVE-2025-65082.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2419365
 Patch254: httpd-2.4.37-CVE-2025-58098.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2466913
+Patch255: httpd-2.4.37-CVE-2026-28780.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -543,6 +545,7 @@ interface for storing and accessing per-user session data.
 %patch252 -p1 -b .CVE-2025-66200
 %patch253 -p1 -b .CVE-2025-65082
 %patch254 -p1 -b .CVE-2025-58098
+%patch255 -p1 -b .CVE-2026-28780
 
 %patch96 -p1 -b .r1922080
 
@@ -1054,6 +1057,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue May 12 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.8
+- Resolves: RHEL-173558 - httpd:2.4/httpd: Apache HTTP Server mod_proxy_ajp:
+  Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)
+
 * Fri Dec 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.7
 - Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass
   via AllowOverride FileInfo (CVE-2025-66200)