CVE-2026-9546
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/07/2026
Last modified:
03/07/2026
Description
A vulnerability in libcurl caused the HTTP `Referer:` header to persist even<br />
when explicitly cleared. While the documentation states that passing NULL to<br />
`CURLOPT_REFERER` suppresses the header, the option failed to clear the<br />
internal state. As a result the previous referrer string was erroneously<br />
reused and sent in subsequent requests, potentially leaking sensitive<br />
information to unintended servers.



