{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-9546",
  "aliases": [
    "CVE-2026-9546"
  ],
  "summary": "sending old referer",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-9546.json",
    "www": "https://curl.se/docs/CVE-2026-9546.html",
    "issue": "https://hackerone.com/reports/3754343",
    "CWE": {
      "id": "CWE-200",
      "desc": "Exposure of Sensitive Information to an Unauthorized Actor"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.18.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "2cb868242dc2ac9cd52ee64987ef51d5964a56f9"},
             {"fixed": "862e8a74a84478d82973471b4f49dc2746c1780e"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "renjian on hackerone",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "A vulnerability in libcurl caused the HTTP `Referer:` header to persist even\nwhen explicitly cleared. While the documentation states that passing NULL to\n`CURLOPT_REFERER` suppresses the header, the option failed to clear the\ninternal state. As a result, the previous referrer string was erroneously\nreused and sent in subsequent requests, potentially leaking sensitive\ninformation to unintended servers."
}