GHSA-Q8R6-5HFW-5JFF guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator

Impact guzzlehttp/guzzle-services does not safely serialize scalar XML element values containing the CDATA terminator . The XML request serializer writes values containing , or & with XMLWriter::writeCData$value. If attacker-controlled input contains , the CDATA section closes early and the...

guzzlehttp/psr7 has CRLF Injection via URI Host Component

Impact guzzlehttp/psr7 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with GuzzleHttp\Psr7\Message::toString or an equivalent custom serializer. Creating a...

CVE-2026-53723

Guzzle Services (guzzlehttp/guzzle-services) contains an XML request serialization flaw in versions before 1.5.4 where scalar XML element values may include the CDATA terminator ]]>, causing the CDATA to end early and injecting XML markup into outgoing requests. This is an outgoing request‑bod...

CVE-2026-39832

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all...