{"id":"CURL-CVE-2026-9546","summary":"sending old referer","details":"A vulnerability in libcurl caused the HTTP `Referer:` header to persist even\nwhen explicitly cleared. While the documentation states that passing NULL to\n`CURLOPT_REFERER` suppresses the header, the option failed to clear the\ninternal state. As a result, the previous referrer string was erroneously\nreused and sent in subsequent requests, potentially leaking sensitive\ninformation to unintended servers.","aliases":["CVE-2026-9546"],"modified":"2026-06-24T08:07:05.101624Z","published":"2026-06-24T08:00:00Z","database_specific":{"last_affected":"8.20.0","affects":"lib","www":"https://curl.se/docs/CVE-2026-9546.html","URL":"https://curl.se/docs/CVE-2026-9546.json","issue":"https://hackerone.com/reports/3754343","package":"curl","severity":"Low","CWE":{"id":"CWE-200","desc":"Exposure of Sensitive Information to an Unauthorized Actor"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.18.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"2cb868242dc2ac9cd52ee64987ef51d5964a56f9"},{"fixed":"862e8a74a84478d82973471b4f49dc2746c1780e"}]}],"versions":["8.20.0","8.19.0","8.18.0","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1"],"database_specific":{"vanir_signatures_modified":"2026-06-24T08:07:05Z","source":"https://curl.se/docs/CURL-CVE-2026-9546.json","vanir_signatures":[{"deprecated":false,"id":"CURL-CVE-2026-9546-7ba9ca43","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["329802710635362475633966257142929289229","59722172210655117825890418870938329781","183831522990858182837473479172905867047","304554302798540308152858876043779062238"]},"target":{"file":"lib/transfer.c"},"signature_type":"Line","source":"https://github.com/curl/curl.git/commit/862e8a74a84478d82973471b4f49dc2746c1780e"},{"deprecated":false,"id":"CURL-CVE-2026-9546-93bc1aa3","signature_version":"v1","digest":{"function_hash":"192731219037552860576466850254657292841","length":3790},"target":{"function":"Curl_pretransfer","file":"lib/transfer.c"},"signature_type":"Function","source":"https://github.com/curl/curl.git/commit/862e8a74a84478d82973471b4f49dc2746c1780e"}]}}],"schema_version":"1.7.5","credits":[{"name":"renjian on hackerone","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}