CVE-2026-9546
ADVISORY - debianSummary
A vulnerability in libcurl caused the HTTP Referer: header to persist even when explicitly cleared. While the documentation states that passing NULL to CURLOPT_REFERER suppresses the header, the option failed to clear the internal state. As a result the previous referrer string was erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers.
- curl 8.21.0~rc2-1 [trixie] - curl (Vulnerable code not present) [bookworm] - curl (Vulnerable code not present) [bullseye] - curl (Vulnerable code not present) https://curl.se/docs/CVE-2026-9546.html Introduced with: https://github.com/curl/curl/commit/2cb868242dc2ac9cd52ee64987ef51d5964a56f9 (curl-8_18_0) Fixed by: https://github.com/curl/curl/commit/862e8a74a84478d82973471b4f49dc2746c1780e (rc-8_21_0-1, curl-8_21_0)
EPSS Score: 0.00206 (0.108)
Common Weakness Enumeration (CWE)
Alpine
CREATED
UPDATED
ADVISORY IDCVE-2026-9546
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Debian
CREATED
UPDATED
ADVISORY IDCVE-2026-9546
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AlowUbuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-9546
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-