[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"public-cve-CVE-2026-48998":3,"news-by-cve-CVE-2026-48998-10":64},{"vendor_context":4,"has_nuclei_templates":13,"assigner_org":14,"assigner_short_name":14,"cvss_vector":15,"has_workaround":13,"attack_technique_count":16,"sources":17,"date_published":20,"date_updated":21,"nvd_cvss_vector":15,"cvss_source":19,"kev_ransomware_use":13,"sectors":22,"state":23,"cvss_score":24,"in_kev":13,"reference_count":25,"attack_techniques":26,"references_preview":41,"cvss_severity":44,"has_exploit":13,"exploit_count":45,"affected_product_count":25,"nuclei_template_count":45,"affected_products_preview":46,"id":50,"title":51,"source_identifier":52,"nvd_cvss_severity":44,"attack_tactics":53,"remediation_summary":54,"nvd_cvss_score":24,"has_solution":13,"description":55,"tags":56,"has_ai_summary":13,"has_attack_graph":57,"cvss_version":58,"weaknesses":59},[5],{"vendor":6,"vendor_type":7,"aliases":8,"sector":11,"subsector":12},"guzzle","oss-project",[9,10],"guzzlehttp","guzzlehttp/guzzle","oss-libraries","generic-library",false,"","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",2,[18,19],"cvelist","nvd","2026-06-11T12:34:32Z","2026-06-11T15:25:07Z",[11],"PUBLISHED",5.3,1,[27,34],{"confidence":28,"technique_id":29,"technique_name":30,"tactic":31,"tactic_name":32,"url":33},"high","T1090","Proxy","command-and-control","Command and Control","https://attack.mitre.org/techniques/T1090/",{"technique_name":35,"tactic":36,"tactic_name":37,"url":38,"confidence":39,"technique_id":40},"Exploit Public-Facing Application","initial-access","Initial Access","https://attack.mitre.org/techniques/T1190/","low","T1190",[42],{"url":43,"source":18},"https://github.com/guzzle/psr7/security/advisories/GHSA-34xg-wgjx-8xph","MEDIUM",0,[47],{"vendor":6,"product":48,"sector":11,"subsector":12,"deployment":49},"psr7","library","CVE-2026-48998","guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation","a0819718-46f1-4df5-94e2-005712e83aaa",[32,37],{"has_patch":13,"has_workaround":13},"guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `trusted.example@evil.example`. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with `GuzzleHttp\\Psr7\\Message::parseRequest()` or the legacy 1.x `GuzzleHttp\\Psr7\\parse_request()` function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in `2.10.2`. `1.x` is end-of-life and will not receive a patch. Some workarounds are available. Validate the `Host` header as `uri-host [ \":\" port ]` before calling `Message::parseRequest()` or legacy `parse_request()` on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.",[],true,"3.1",[60,62],{"cwe_id":61,"name":14},"CWE-20",{"cwe_id":63,"name":14},"CWE-918",{"cve_id":50,"items":65,"total":45},[]]