CVE-2026-59882

NameCVE-2026-59882
Descriptionguzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost() to disagree with the URI authority used for security or routing decisions. This issue is fixed in version 2.12.3.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-guzzlehttp-psr7 (PTS)bullseye1.7.0-1+deb11u2vulnerable
bookworm2.4.5-1vulnerable
trixie2.7.1-1vulnerable
forky2.12.3-1fixed
sid2.12.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-guzzlehttp-psr7source(unstable)2.12.3-1

Notes

[trixie] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
https://github.com/guzzle/psr7/security/advisories/GHSA-c2w2-prh8-qm98
https://github.com/guzzle/psr7/pull/811
Fixed by: https://github.com/guzzle/psr7/commit/ddd64f17d4cc1f7e5ffe6fd2c989ec7221712580 (2.12.3)

Search for package or bug name: Reporting problems