๐Ÿ” CVE Alert

CVE-2026-59883

MEDIUM 4.7

Guzzle: Cookie Disclosure and Injection via IP-Address Domains

CVSS Score
4.7
EPSS Score
0.1%
EPSS Percentile
2th

Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1, [::1], or 1, allowing cross-host cookie disclosure, cookie injection, or session fixation. This issue is fixed in version 7.12.3.

CWE CWE-346 CWE-384
Vendor guzzle
Product guzzle
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for guzzle guzzle

Be the first to know when new medium vulnerabilities affecting guzzle guzzle are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

guzzle / guzzle
< 7.12.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/guzzle/guzzle/security/advisories/GHSA-g446-98w2-8p5w github.com: https://github.com/guzzle/guzzle/pull/3694 github.com: https://github.com/guzzle/guzzle/commit/b9944c161b12d9ee9c9334cfc5b9659ecd7451f8 github.com: https://github.com/guzzle/guzzle/releases/tag/7.12.3