← back

CVE-2026-47729

hype MIXED · 48 hack

PoC claimed, real vulnerability likely, but no KEV, no vendor advisory, metadata incomplete.

What: Squidbleed — a 29-year-old heap overread in Squid Proxy default configuration that leaks HTTP Authorization headers and session credentials across shared-network users (CVSS/EPSS unknown; NVD not yet enriched).

Why it matters: Social chatter emphasizes Heartbleed-style memory disclosure affecting all Squid versions by default. Posts reference a PoC and research project, but no KEV listing, vendor advisory, or confirmed in-the-wild exploitation yet. Metadata gap (NVD enrichment pending) prevents validation of scope and severity claims.

Where it's seen: Twitter and Bluesky amplifying a single research narrative (Squidbleed project); posts repeat identical phrasing suggesting coordinated or syndicated coverage. One security news outlet aggregating; low absolute engagement (top post ~10 interactions). No defender triage signals, no patch guidance.

RISK: HIGH — Default-config memory leak in widely-deployed proxy; credentials exposed cross-user if confirmed.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/23/2026, 8:29:31 AM

No NVD details ingested for this CVE yet.