Cross-host Cookie Disclosure Vulnerability in Guzzle PHP HTTP Client
CVE-2026-59883

4.7MEDIUM

Key Information:

Vendor

Guzzle

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59883?

The Guzzle PHP HTTP Client prior to version 7.12.3 contains a vulnerability in its CookieJar component, which allows cookies scoped to IP-address or numerical Domain values to be improperly matched. This can lead to cross-host cookie disclosure, allowing malicious actors to inject cookies or exploit session fixation vulnerabilities. Users of Guzzle are advised to update to version 7.12.3 or later to mitigate this potential risk.

Affected Version(s)

guzzle < 7.12.3

References

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.