CVE-2026-6276

Severity CVSS v4.0:
Pending analysis
Type:
CWE-319 Cleartext Transmission of Sensitive Information
Publication date:
13/05/2026
Last modified:
14/05/2026

Description

Using libcurl, when a custom `Host:` header is first set for an HTTP request<br /> and a second request is subsequently done using the same *easy handle* but<br /> without the custom `Host:` header set, the second request would use stale<br /> information and pass on cookies meant for the first host in the second<br /> request. Leak them.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* 7.71.0 (including) 8.20.0 (excluding)