CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-11525

lowCVSS 3.7covered by 1 sourcefirst seen 2026-06-09

CSIRTS triage

What
The vulnerability allows for a downgrade of the Set-Cookie SameSite attribute via permissive substring matching.
Who is affected
Deployments using undici.
Urgency
Remediation is low urgency as the severity is low and exploitation is not currently active.
Action
Update to the latest version of undici.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-11525

Get an email if CVE-2026-11525 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-11525

CVE.org record

Embed the live status

CVE-2026-11525 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-11525 status](https://www.csirts.com/badge/CVE-2026-11525)](https://www.csirts.com/cve/CVE-2026-11525)