Vulnerable Library - guzzlehttp/guzzle-7.5.0
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Vulnerabilities
| Vulnerability |
Severity |
CVSS |
Dependency |
Type |
Fixed in (guzzlehttp/guzzle version) |
Remediation Possible** |
| CVE-2026-55568 |
Medium |
5.9 |
guzzlehttp/guzzle-7.5.0 |
Direct |
guzzlehttp/guzzle - 7.12.1 |
❌ |
| CVE-2026-55767 |
Medium |
5.8 |
guzzlehttp/guzzle-7.5.0 |
Direct |
guzzlehttp/guzzle - 7.12.1 |
❌ |
| CVE-2026-49214 |
Medium |
5.3 |
guzzlehttp/psr7-2.5.0 |
Transitive |
N/A* |
❌ |
| CVE-2026-48998 |
Medium |
5.3 |
guzzlehttp/psr7-2.5.0 |
Transitive |
N/A* |
❌ |
| CVE-2026-55766 |
Medium |
4.8 |
guzzlehttp/psr7-2.5.0 |
Transitive |
N/A* |
❌ |
| CVE-2026-59883 |
Medium |
4.7 |
guzzlehttp/guzzle-7.5.0 |
Direct |
guzzlehttp/guzzle - 7.12.3 |
❌ |
| CVE-2026-59882 |
Medium |
4.2 |
guzzlehttp/psr7-2.5.0 |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-55568
Vulnerable Library - guzzlehttp/guzzle-7.5.0
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba
Dependency Hierarchy:
- ❌ guzzlehttp/guzzle-7.5.0 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
Publish Date: 2026-06-23
URL: CVE-2026-55568
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwxw-98qj-8qjx
Release Date: 2026-06-19
Fix Resolution: guzzlehttp/guzzle - 7.12.1
Step up your Open Source Security Game with Mend here
CVE-2026-55767
Vulnerable Library - guzzlehttp/guzzle-7.5.0
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba
Dependency Hierarchy:
- ❌ guzzlehttp/guzzle-7.5.0 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host. An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. This vulnerability is fixed in 7.12.1.
Publish Date: 2026-06-23
URL: CVE-2026-55767
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwxw-98qj-8qjx
Release Date: 2026-06-19
Fix Resolution: guzzlehttp/guzzle - 7.12.1
Step up your Open Source Security Game with Mend here
CVE-2026-49214
Vulnerable Library - guzzlehttp/psr7-2.5.0
PSR-7 message implementation that also provides common utility methods
Library home page: https://api.github.com/repos/guzzle/psr7/zipball/b635f279edd83fc275f822a1188157ffea568ff6
Dependency Hierarchy:
- guzzlehttp/guzzle-7.5.0 (Root Library)
- ❌ guzzlehttp/psr7-2.5.0 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to construct a PSR-7 "Uri" or "Request". Third, the host component contains CRLF or another header-unsafe character. Fourth, the host is copied into the PSR-7 "Host" header when no explicit "Host" header is provided. Finally, the request is serialized or sent by an HTTP client that does not independently reject the malformed host. In that flow, an attacker can cause the serialized request to contain additional attacker-controlled header lines. For example, a host containing ""\r\nX-Injected: yes"" can cause the generated "Host" header to span multiple HTTP header lines. Applications are affected when they use user-controlled URLs for outbound HTTP requests, URL forwarding, proxying, crawling, webhook delivery, or similar request-dispatch flows. In deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed request may also contribute to request smuggling or cache poisoning, depending on how downstream components parse the request. The issue is patched in "2.10.2" and later. "1.x" is end-of-life and will not receive a patch. As a workaround, validate and reject all untrusted URI strings before constructing PSR-7 "Uri" or "Request" instances. Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters. Applications that forward requests should also ensure the final HTTP client or serializer rejects invalid URI and header data before writing requests to the network.
Publish Date: 2026-06-11
URL: CVE-2026-49214
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hq7v-mx3g-29hw
Release Date: 2026-06-11
Fix Resolution: guzzlehttp/psr7 - 2.10.2
Step up your Open Source Security Game with Mend here
CVE-2026-48998
Vulnerable Library - guzzlehttp/psr7-2.5.0
PSR-7 message implementation that also provides common utility methods
Library home page: https://api.github.com/repos/guzzle/psr7/zipball/b635f279edd83fc275f822a1188157ffea568ff6
Dependency Hierarchy:
- guzzlehttp/guzzle-7.5.0 (Root Library)
- ❌ guzzlehttp/psr7-2.5.0 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as "trusted.example@evil.example". When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with "GuzzleHttp\Psr7\Message::parseRequest()" or the legacy 1.x "GuzzleHttp\Psr7\parse_request()" function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in "2.10.2". "1.x" is end-of-life and will not receive a patch. Some workarounds are available. Validate the "Host" header as "uri-host [ ":" port ]" before calling "Message::parseRequest()" or legacy "parse_request()" on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.
Publish Date: 2026-06-11
URL: CVE-2026-48998
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-34xg-wgjx-8xph
Release Date: 2026-06-11
Fix Resolution: guzzlehttp/psr7 - 2.10.2
Step up your Open Source Security Game with Mend here
CVE-2026-55766
Vulnerable Library - guzzlehttp/psr7-2.5.0
PSR-7 message implementation that also provides common utility methods
Library home page: https://api.github.com/repos/guzzle/psr7/zipball/b635f279edd83fc275f822a1188157ffea568ff6
Dependency Hierarchy:
- guzzlehttp/guzzle-7.5.0 (Root Library)
- ❌ guzzlehttp/psr7-2.5.0 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.1, guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x, for example with Message::toString() or an equivalent serializer, the serialized message could contain attacker-controlled header lines. The issue can also be reached through Message::parseRequest() or Message::parseResponse() when malformed raw messages are parsed into first-party PSR-7 objects and then serialized again. Creating or modifying a Request, Response, or other PSR-7 object alone is not sufficient. The issue requires the malformed message to be serialized and written to the network, forwarded, replayed, or otherwise processed by software that does not independently reject the malformed start line. This vulnerability is fixed in 2.12.1.
Publish Date: 2026-06-23
URL: CVE-2026-55766
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwxw-98qj-8qjx
Release Date: 2026-06-19
Fix Resolution: guzzlehttp/psr7 - 2.12.1
Step up your Open Source Security Game with Mend here
CVE-2026-59883
Vulnerable Library - guzzlehttp/guzzle-7.5.0
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba
Dependency Hierarchy:
- ❌ guzzlehttp/guzzle-7.5.0 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1, [::1], or 1, allowing cross-host cookie disclosure, cookie injection, or session fixation. This issue is fixed in version 7.12.3.
Publish Date: 2026-07-08
URL: CVE-2026-59883
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-g446-98w2-8p5w
Release Date: 2026-07-08
Fix Resolution: guzzlehttp/guzzle - 7.12.3
Step up your Open Source Security Game with Mend here
CVE-2026-59882
Vulnerable Library - guzzlehttp/psr7-2.5.0
PSR-7 message implementation that also provides common utility methods
Library home page: https://api.github.com/repos/guzzle/psr7/zipball/b635f279edd83fc275f822a1188157ffea568ff6
Dependency Hierarchy:
- guzzlehttp/guzzle-7.5.0 (Root Library)
- ❌ guzzlehttp/psr7-2.5.0 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost() to disagree with the URI authority used for security or routing decisions. This issue is fixed in version 2.12.3.
Publish Date: 2026-07-08
URL: CVE-2026-59882
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2w2-prh8-qm98
Release Date: 2026-07-08
Fix Resolution: guzzlehttp/psr7 - 2.12.3
Step up your Open Source Security Game with Mend here
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - guzzlehttp/guzzle-7.5.0
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
Publish Date: 2026-06-23
URL: CVE-2026-55568
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cwxw-98qj-8qjx
Release Date: 2026-06-19
Fix Resolution: guzzlehttp/guzzle - 7.12.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - guzzlehttp/guzzle-7.5.0
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host. An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. This vulnerability is fixed in 7.12.1.
Publish Date: 2026-06-23
URL: CVE-2026-55767
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cwxw-98qj-8qjx
Release Date: 2026-06-19
Fix Resolution: guzzlehttp/guzzle - 7.12.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - guzzlehttp/psr7-2.5.0
PSR-7 message implementation that also provides common utility methods
Library home page: https://api.github.com/repos/guzzle/psr7/zipball/b635f279edd83fc275f822a1188157ffea568ff6
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to construct a PSR-7 "Uri" or "Request". Third, the host component contains CRLF or another header-unsafe character. Fourth, the host is copied into the PSR-7 "Host" header when no explicit "Host" header is provided. Finally, the request is serialized or sent by an HTTP client that does not independently reject the malformed host. In that flow, an attacker can cause the serialized request to contain additional attacker-controlled header lines. For example, a host containing ""\r\nX-Injected: yes"" can cause the generated "Host" header to span multiple HTTP header lines. Applications are affected when they use user-controlled URLs for outbound HTTP requests, URL forwarding, proxying, crawling, webhook delivery, or similar request-dispatch flows. In deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed request may also contribute to request smuggling or cache poisoning, depending on how downstream components parse the request. The issue is patched in "2.10.2" and later. "1.x" is end-of-life and will not receive a patch. As a workaround, validate and reject all untrusted URI strings before constructing PSR-7 "Uri" or "Request" instances. Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters. Applications that forward requests should also ensure the final HTTP client or serializer rejects invalid URI and header data before writing requests to the network.
Publish Date: 2026-06-11
URL: CVE-2026-49214
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hq7v-mx3g-29hw
Release Date: 2026-06-11
Fix Resolution: guzzlehttp/psr7 - 2.10.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - guzzlehttp/psr7-2.5.0
PSR-7 message implementation that also provides common utility methods
Library home page: https://api.github.com/repos/guzzle/psr7/zipball/b635f279edd83fc275f822a1188157ffea568ff6
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as "trusted.example@evil.example". When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with "GuzzleHttp\Psr7\Message::parseRequest()" or the legacy 1.x "GuzzleHttp\Psr7\parse_request()" function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in "2.10.2". "1.x" is end-of-life and will not receive a patch. Some workarounds are available. Validate the "Host" header as "uri-host [ ":" port ]" before calling "Message::parseRequest()" or legacy "parse_request()" on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.
Publish Date: 2026-06-11
URL: CVE-2026-48998
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-34xg-wgjx-8xph
Release Date: 2026-06-11
Fix Resolution: guzzlehttp/psr7 - 2.10.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - guzzlehttp/psr7-2.5.0
PSR-7 message implementation that also provides common utility methods
Library home page: https://api.github.com/repos/guzzle/psr7/zipball/b635f279edd83fc275f822a1188157ffea568ff6
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.1, guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x, for example with Message::toString() or an equivalent serializer, the serialized message could contain attacker-controlled header lines. The issue can also be reached through Message::parseRequest() or Message::parseResponse() when malformed raw messages are parsed into first-party PSR-7 objects and then serialized again. Creating or modifying a Request, Response, or other PSR-7 object alone is not sufficient. The issue requires the malformed message to be serialized and written to the network, forwarded, replayed, or otherwise processed by software that does not independently reject the malformed start line. This vulnerability is fixed in 2.12.1.
Publish Date: 2026-06-23
URL: CVE-2026-55766
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cwxw-98qj-8qjx
Release Date: 2026-06-19
Fix Resolution: guzzlehttp/psr7 - 2.12.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - guzzlehttp/guzzle-7.5.0
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1, [::1], or 1, allowing cross-host cookie disclosure, cookie injection, or session fixation. This issue is fixed in version 7.12.3.
Publish Date: 2026-07-08
URL: CVE-2026-59883
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-g446-98w2-8p5w
Release Date: 2026-07-08
Fix Resolution: guzzlehttp/guzzle - 7.12.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - guzzlehttp/psr7-2.5.0
PSR-7 message implementation that also provides common utility methods
Library home page: https://api.github.com/repos/guzzle/psr7/zipball/b635f279edd83fc275f822a1188157ffea568ff6
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost() to disagree with the URI authority used for security or routing decisions. This issue is fixed in version 2.12.3.
Publish Date: 2026-07-08
URL: CVE-2026-59882
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c2w2-prh8-qm98
Release Date: 2026-07-08
Fix Resolution: guzzlehttp/psr7 - 2.12.3
Step up your Open Source Security Game with Mend here