PT-2026-56501 · Guzzle · Guzzle
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-59883
CVSS v3.1
4.7
Medium
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1, [::1], or 1, allowing cross-host cookie disclosure, cookie injection, or session fixation. This issue is fixed in version 7.12.3.
Fix
Session Fixation
Origin Validation Error
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Guzzle