Cross-host Cookie Disclosure Vulnerability in Guzzle PHP HTTP Client
CVE-2026-59883
4.7MEDIUM
What is CVE-2026-59883?
The Guzzle PHP HTTP Client prior to version 7.12.3 contains a vulnerability in its CookieJar component, which allows cookies scoped to IP-address or numerical Domain values to be improperly matched. This can lead to cross-host cookie disclosure, allowing malicious actors to inject cookies or exploit session fixation vulnerabilities. Users of Guzzle are advised to update to version 7.12.3 or later to mitigate this potential risk.
Affected Version(s)
guzzle < 7.12.3
