{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-48979/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-17T20:43:25.971Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-48979","@id":"https://www.cve.org/CVERecord?id=CVE-2026-48979","description":"PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\\H2\\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, allowing request smuggling. This is in violation of RFC 9113 §8.1.1. A malicious client is able to send more DATA bytes than declared, smuggling additional content past application-level siz"},"products":[{"@id":"cpe:2.3:a:php-standard-library:php-standard-library:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:php-standard-library:php-standard-library:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:php-standard-library:php-standard-library\\/h2:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:php-standard-library:php-standard-library\\/h2:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-17T20:43:25.971Z"}]}