{"id":"CURL-CVE-2026-9546","summary":"sending old referer","details":"A vulnerability in libcurl caused the HTTP `Referer:` header to persist even\nwhen explicitly cleared. While the documentation states that passing NULL to\n`CURLOPT_REFERER` suppresses the header, the option failed to clear the\ninternal state. As a result, the previous referrer string was erroneously\nreused and sent in subsequent requests, potentially leaking sensitive\ninformation to unintended servers.","aliases":["CVE-2026-9546"],"modified":"2026-07-07T18:35:02.773338Z","published":"2026-06-24T08:00:00Z","database_specific":{"last_affected":"8.20.0","package":"curl","severity":"Low","www":"https://curl.se/docs/CVE-2026-9546.html","CWE":{"desc":"Exposure of Sensitive Information to an Unauthorized Actor","id":"CWE-200"},"URL":"https://curl.se/docs/CVE-2026-9546.json","affects":"lib","issue":"https://hackerone.com/reports/3754343"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.18.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"2cb868242dc2ac9cd52ee64987ef51d5964a56f9"},{"fixed":"862e8a74a84478d82973471b4f49dc2746c1780e"}]}],"versions":["8.20.0","8.19.0","8.18.0","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2026-9546.json","vanir_signatures_modified":"2026-07-07T18:35:02Z","vanir_signatures":[{"deprecated":false,"digest":{"line_hashes":["329802710635362475633966257142929289229","59722172210655117825890418870938329781","183831522990858182837473479172905867047","304554302798540308152858876043779062238"],"threshold":0.9},"id":"CURL-CVE-2026-9546-7ba9ca43","signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/862e8a74a84478d82973471b4f49dc2746c1780e","target":{"file":"lib/transfer.c"}},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/862e8a74a84478d82973471b4f49dc2746c1780e","target":{"file":"lib/transfer.c","function":"Curl_pretransfer"},"deprecated":false,"digest":{"function_hash":"192731219037552860576466850254657292841","length":3790},"id":"CURL-CVE-2026-9546-93bc1aa3"}]}}],"schema_version":"1.7.5","credits":[{"name":"renjian on hackerone","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}