CVE-2026-6276
Severity CVSS v4.0:
Pending analysis
Type:
CWE-319
Cleartext Transmission of Sensitive Information
Publication date:
13/05/2026
Last modified:
14/05/2026
Description
Using libcurl, when a custom `Host:` header is first set for an HTTP request<br />
and a second request is subsequently done using the same *easy handle* but<br />
without the custom `Host:` header set, the second request would use stale<br />
information and pass on cookies meant for the first host in the second<br />
request. Leak them.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | 7.71.0 (including) | 8.20.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



