Uri Validation Flaw in Guzzle HTTP Library by Guzzle
CVE-2026-59882

4.2MEDIUM

Key Information:

Vendor

Guzzle

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59882?

The guzzlehttp/psr7 library, an implementation of the PSR-7 HTTP message standard in PHP, contains a vulnerability in the Uri::assertValidHost() function. This function fails to properly validate URI host components, allowing for potential discrepancies between Uri::getHost() and the URI authority. Issues arise from acceptance of authority delimiters, embedded ports, and incorrectly formatted IPv6 brackets. This flaw can lead to erroneous security or routing decisions. All users are strongly encouraged to update to version 2.12.3 or later to remediate this vulnerability.

Affected Version(s)

psr7 < 2.12.3

References

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.