Outgoing Request Body Integrity Issue in Guzzle Services by Guzzle
CVE-2026-53723

5.8MEDIUM

Key Information:

Vendor

Guzzle

Vendor
CVE Published:
11 June 2026

What is CVE-2026-53723?

The Guzzle Services implementation prior to version 1.5.4 contains a vulnerability that affects how XML element values, particularly those containing the CDATA terminator ]]>, are serialized. This issue may allow attackers to influence outgoing requests, potentially injecting undesired XML markup. The vulnerability arises when the application serializes untrusted, attacker-controlled input for parameters specified with location: xml. If the parameter value contains ]]>, it allows premature closing of the CDATA section, which can lead to malformed XML that may alter the intended request semantics, smuggle in unauthorized fields, or manipulate the operation of the receiving service. To mitigate this issue, it is crucial to avoid serialization of untrusted data in these XML contexts or apply strict validation constraints until updated library versions are implemented.

Affected Version(s)

guzzle-services < 1.5.4

References

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.