Lucene search
K

217 matches found

Tenable Nessus
Tenable Nessus
added 5 days ago4 views

Linux Distros Unpatched Vulnerability : CVE-2026-59883

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP- address or bare-numeric Domain values to the exact ho...

6.1CVSS6.1AI score0.00115EPSS
Exploits0References3
Snyk
Snyk
added 6 days ago4 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error via the CookieJar process. An attacker can access or manipulate cookies belonging to other hosts by exploiting improper domain matching for IP-address or bare-numeric domains. Remediation Upgrade guzzlehttp/guzzl...

6.1CVSS6.1AI score0.00115EPSS
Exploits0References2
NVD
NVD
added 6 days ago7 views

CVE-2026-59883

Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain applied ordinary suffix matching to domains such as 192.168.0.1, ::1, or 1, allowing...

6.1CVSS0.00115EPSS
Exploits0References4
NVD
NVD
added 6 days ago8 views

CVE-2026-59882

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost to disagree with the URI authority used for security ...

4.2CVSS0.00186EPSS
Exploits0References4
CVE
CVE
added 6 days ago14 views

CVE-2026-59883

CVE-2026-59883 – Guzzle: CookieJar domain-matching flaw in the PHP HTTP client allowed cookies scoped to IP-address or bare-numeric domains (e.g., 192.168.0.1, ::1) to be accepted by non-origin hosts due to SetCookie::matchesDomain() applying ordinary suffix matching. Affects versions prior to 7....

6.1CVSS6AI score0.00115EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 6 days ago35 views

CVE-2026-59883 Guzzle: Cookie Disclosure and Injection via IP-Address Domains

Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain applied ordinary suffix matching to domains such as 192.168.0.1, ::1, or 1, allowing...

4.7CVSS0.00115EPSS
Exploits0References4
Debian CVE
Debian CVE
added 6 days ago5 views

CVE-2026-59883

Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain applied ordinary suffix matching to domains such as 192.168.0.1, ::1, or 1, allowing...

6.1CVSS6AI score0.00115EPSS
Exploits0
CVE
CVE
added 6 days ago9 views

CVE-2026-59882

The CVE affects guzzlehttp/psr7 (PSR-7 HTTP message library for PHP). Prior to version 2.12.3, Uri::assertValidHost() fails to reject authority delimiters, embedded ports, or malformed IPv6 brackets in host components, causing Uri::getHost() to disagree with the URI authority used for security or...

4.2CVSS6AI score0.00186EPSS
Exploits0References4
NVD
NVD
added 2026/06/23 4:17 p.m.8 views

CVE-2026-55766

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.1, guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled dat...

4.8CVSS0.00158EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 4:17 p.m.11 views

CVE-2026-55767

Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::valida...

5.8CVSS0.00111EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 4:17 p.m.23 views

CVE-2026-55568

Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPTPROXYUSERPW...

5.9CVSS0.00106EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/06/23 3:7 p.m.37 views

CVE-2026-55766

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.1, guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled dat...

4.8CVSS5.8AI score0.00158EPSS
Exploits0
CVE
CVE
added 2026/06/23 3:7 p.m.16 views

CVE-2026-55766

Summary (CVE-2026-55766): guzzlehttp/psr7 (PHP) before 2.12.1 is vulnerable to CRLF injection in the HTTP start-line fields (method, protocol version, reason phrase) when attacker-controlled data ends up in those fields and the message is serialized or forwarded. The flaw requires the malformed m...

4.8CVSS5.8AI score0.00158EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/06/23 3:5 p.m.23 views

CVE-2026-55767

Summary: Guzzle 7.x before 7.12.1 is vulnerable to cookie domain handling flaws in CookieJar. dot-only Domain attributes (e.g., Domain=., Domain=.., or whitespace-padded variants) are normalized to an empty domain, and the code path that rejects only an empty domain still allows it to match any h...

5.8CVSS5.9AI score0.00111EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/23 3:5 p.m.47 views

CVE-2026-55767 Guzzle: Dot-Only Cookie Domains Match All Hosts in guzzlehttp/guzzle

Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::valida...

5.8CVSS0.00111EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/06/23 2:54 p.m.5 views

CVE-2026-55568

Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPTPROXYUSERPW...

5.9CVSS5.9AI score0.00106EPSS
Exploits0
CVE
CVE
added 2026/06/23 2:54 p.m.73 views

CVE-2026-55568

Summary (CVE-2026-55568) : Guzzle’s built‑in cURL handlers (CurlHandler/CurlMultiHandler) can downgrade an https:// proxy to plaintext when using libcurl older than 7.50.2, exposing proxy credentials and the CONNECT host/port. The issue occurs if an https proxy is configured and the app runs with...

5.9CVSS5.9AI score0.00106EPSS
Exploits0References1Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/21 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-55767

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants...

5.8CVSS6AI score0.00111EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/21 12:0 a.m.18 views

Linux Distros Unpatched Vulnerability : CVE-2026-55568

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is...

5.9CVSS6AI score0.00106EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.8 views

Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs

Overview Craft CMS is vulnerable to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the...

6.9CVSS6.1AI score0.0033EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder