NONE
lostisland
CVE published 2026-05-19
CVE-2026-33637
CVE-2026-33637 describes a host-override flaw in Faraday's request-building logic. In affected versions, a URI object can trigger protocol-relative handling that bypasses the earlier February 2026 fix for GHSA-33mh-2634-fwr2. That can turn a request from a fixed-base Faraday::Connection into an off-host request forgery and may forward connection-scoped values such as Authorization headers and default quer [truncated]