CVE-2026-9546

EUVD-2026-41494
A vulnerability in libcurl caused the HTTP `Referer:` header to persist even
when explicitly cleared. While the documentation states that passing NULL to
`CURLOPT_REFERER` suppresses the header, the option failed to clear the
internal state. As a result the previous referrer string was erroneously
reused and sent in subsequent requests, potentially leaking sensitive
information to unintended servers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
curlCNA
UNKNOWN
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
curlcurl
𝑥
≤ 8.20.0
CNA
curlcurl
𝑥
≤ 8.19.0
CNA
curlcurl
𝑥
≤ 8.18.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u14
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u16
fixed
forky
vulnerable
sid
8.21.0-2
fixed
trixie
8.14.1-2+deb13u3
fixed