Vulnerability in Curl

CVE-2026-9546

A vulnerability in libcurl caused the HTTP `Referer:` header to persist even when explicitly cleared. While the documentation states that passing NULL to `CURLOPT_REFERER` suppresses the header, the option failed to clear the internal stat…

Affected products

  • Curl — versions 8.20.0, 8.19.0, 8.18.0

References