SCA: security update for guzzlehttp/guzzle (GHSA-cwxw-98qj-8qjx)

medium Tenable Self-Hosted Container Security Plugin ID 443598

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a
dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots
from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only
rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was
treated as matching any request host. An attacker-controlled origin that an application requests with a
shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same
jar. This may allow cookie injection or session fixation against downstream services, depending on how
those services interpret the injected cookie. This vulnerability is fixed in 7.12.1. (CVE-2026-55767)

Solution

Update the guzzlehttp/guzzle library and its related packages to version 7.12.1 or later.

See Also

https://github.com/advisories/GHSA-cwxw-98qj-8qjx

Plugin Details

Severity: Medium

ID: 443598

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 6/19/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-55767

CVSS v3

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/19/2026

Vulnerability Publication Date: 6/19/2026

Reference Information

CVE: CVE-2026-55767