CVE-2026-47729
PoC claimed, real vulnerability likely, but no KEV, no vendor advisory, metadata incomplete.
What: Squidbleed — a 29-year-old heap overread in Squid Proxy default configuration that leaks HTTP Authorization headers and session credentials across shared-network users (CVSS/EPSS unknown; NVD not yet enriched).
Why it matters: Social chatter emphasizes Heartbleed-style memory disclosure affecting all Squid versions by default. Posts reference a PoC and research project, but no KEV listing, vendor advisory, or confirmed in-the-wild exploitation yet. Metadata gap (NVD enrichment pending) prevents validation of scope and severity claims.
Where it's seen: Twitter and Bluesky amplifying a single research narrative (Squidbleed project); posts repeat identical phrasing suggesting coordinated or syndicated coverage. One security news outlet aggregating; low absolute engagement (top post ~10 interactions). No defender triage signals, no patch guidance.
RISK: HIGH — Default-config memory leak in widely-deployed proxy; credentials exposed cross-user if confirmed.
No NVD details ingested for this CVE yet.