CVE-2026-9546

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/07/2026
Last modified:
03/07/2026

Description

A vulnerability in libcurl caused the HTTP `Referer:` header to persist even<br /> when explicitly cleared. While the documentation states that passing NULL to<br /> `CURLOPT_REFERER` suppresses the header, the option failed to clear the<br /> internal state. As a result the previous referrer string was erroneously<br /> reused and sent in subsequent requests, potentially leaking sensitive<br /> information to unintended servers.

Impact