Skip to main content

Guzzle

6 CVEs product

Monthly

CVE-2026-59883 MEDIUM PATCH This Month

Cookie domain suffix-matching bypass in Guzzle PHP HTTP client (prior to 7.12.3) allows cross-host cookie disclosure, cookie injection, and session fixation when an application makes requests to multiple IP-address-based or bare-numeric-domain hosts within a shared CookieJar session. The SetCookie::matchesDomain() method incorrectly applied suffix-matching logic - valid for FQDN hierarchies - to numeric domain identifiers such as 192.168.0.1, [::1], and bare labels like 1, meaning a cookie set by one numeric host could be forwarded to a structurally related but distinct host. No public exploit has been identified at time of analysis; a vendor-released patch is available in version 7.12.3.

Code Injection PHP Guzzle
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2022-31091 PHP HIGH PATCH This Week

Guzzle, an extensible PHP HTTP client. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Guzzle Debian Linux
NVD GitHub
CVSS 3.1
7.7
EPSS
1.4%
CVE-2022-31090 PHP HIGH PATCH This Week

Guzzle, an extensible PHP HTTP client. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Guzzle Debian Linux
NVD GitHub
CVSS 3.1
7.7
EPSS
1.8%
CVE-2022-31043 PHP HIGH PATCH This Week

Guzzle is an open source PHP HTTP client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Guzzle Drupal Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2022-31042 PHP HIGH PATCH This Week

Guzzle is an open source PHP HTTP client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Guzzle Drupal Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2022-29248 PHP HIGH PATCH This Week

Guzzle is a PHP HTTP client. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Guzzle Drupal Debian Linux
NVD GitHub
CVSS 3.1
8.1
EPSS
1.2%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cookie domain suffix-matching bypass in Guzzle PHP HTTP client (prior to 7.12.3) allows cross-host cookie disclosure, cookie injection, and session fixation when an application makes requests to multiple IP-address-based or bare-numeric-domain hosts within a shared CookieJar session. The SetCookie::matchesDomain() method incorrectly applied suffix-matching logic - valid for FQDN hierarchies - to numeric domain identifiers such as 192.168.0.1, [::1], and bare labels like 1, meaning a cookie set by one numeric host could be forwarded to a structurally related but distinct host. No public exploit has been identified at time of analysis; a vendor-released patch is available in version 7.12.3.

Code Injection PHP Guzzle
NVD GitHub VulDB
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Guzzle, an extensible PHP HTTP client. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Guzzle +1
NVD GitHub
EPSS 2% CVSS 7.7
HIGH PATCH This Week

Guzzle, an extensible PHP HTTP client. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Guzzle +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Guzzle is an open source PHP HTTP client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Guzzle +2
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Guzzle is an open source PHP HTTP client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Guzzle +2
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Guzzle is a PHP HTTP client. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Guzzle +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy