PatchSiren cyber security CVE debrief
CVE-2026-59882 guzzle CVE debrief
CVE-2026-59882 is a vulnerability in Guzzle PSR-7, a PSR-7 HTTP message library implementation in PHP. Prior to version 2.12.3, the Uri::assertValidHost() function does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets. This allows Uri::getHost() to disagree with the URI authority used for security or routing decisions. The issue is fixed in version 2.12.3. Developers and administrators using Guzzle PSR-7 in their applications should be aware of this vulnerability and take steps to upgrade to version 2.12.3 or apply compensating controls.
- Vendor
- guzzle
- Product
- psr7
- CVSS
- MEDIUM 4.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Developers and administrators using Guzzle PSR-7 in their applications should be aware of this vulnerability and take steps to upgrade to version 2.12.3 or apply compensating controls. This includes reviewing and validating URI host components in applications, implementing compensating controls to mitigate potential security risks, and confirming whether affected product deployments exist in managed environments.
Technical summary
The vulnerability exists in the Uri::assertValidHost() function of Guzzle PSR-7. This function fails to properly validate URI host components, allowing for potential security issues. Specifically, it does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets. As a result, Uri::getHost() may return a value that does not accurately represent the URI authority, which could impact security or routing decisions made by applications using this library. The issue has been addressed in version 2.12.3.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to Guzzle PSR-7 version 2.12.3 or later
- Review and validate URI host components in applications using Guzzle PSR-7
- Implement compensating controls to mitigate potential security risks
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-08T17:17:26.597Z and was last modified on 2026-07-10T19:01:16.053Z. The NVD entry is currently awaiting analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The issue is fixed in version 2.12.3 of Guzzle PSR-7.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T17:17:26.597Z and has not been modified since then.