Back to overview

CVE-2026-54171

MEDIUM
6.5
CVSS 3.1
Description
Excon is usable, fast, simple HTTP 1.1 for Ruby. Prior to 1.5.0, Excon's RedirectFollower middleware failed to strip additional sensitive headers when following redirects and did not provide a custom list of headers to strip. This could cause inadvertent leakage of sensitive data when the initial request includes header information that is not intended for the new target. This issue is fixed in version 1.5.0.

Metadata

CVE ID
CVE-2026-54171
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-11 21:46 UTC
Published
2026-07-17 20:09 UTC
Last updated
2026-07-17 20:09 UTC
Primary CWE
CWE-201
CWE-201: Insertion of Sensitive Information Into Sent Data
Vendor / Product
excon / excon
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
excon excon < 1.5.0
Weakness (CWE)
CWESourceDescription
CWE-201 cna CWE-201: Insertion of Sensitive Information Into Sent Data
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
References (3)
Back to overview