CVE-2026-9546

ANALYSIS PENDING

curl - Sending Old Referer

Title source: rule
STIX 2.1

Description

A vulnerability in libcurl caused the HTTP `Referer:` header to persist even when explicitly cleared. While the documentation states that passing NULL to `CURLOPT_REFERER` suppresses the header, the option failed to clear the internal state. As a result the previous referrer string was erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers.

Scores

EPSS 0.0021
EPSS Percentile 10.8%

Details

Status published
Products (3)
curl/curl 8.18.0
curl/curl 8.19.0
curl/curl 8.20.0
Published Jul 03, 2026
Tracked Since Jul 03, 2026