{"id":"ECHO-9de4-e5ae-bd39","upstream":["CVE-2026-3099"],"severity":[],"modified":"2026-05-20T08:41:34.038Z","affected":[{"package":{"ecosystem":"Echo","name":"libsoup3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.6.6-1+e3"}]}]}],"references":[{"type":"WEB","url":"https://advisory.echohq.com/cve/CVE-2026-3099"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3099"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2026-3099"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442232"},{"type":"WEB","url":"https://gitlab.gnome.org/GNOME/libsoup/-/issues/495"}],"withdrawn":"2026-05-20T08:41:34.038Z","summary":"Disputed by upstream. Stateless digest auth is by design; nonce tracking would be a feature addition.\nhttps://gitlab.gnome.org/GNOME/libsoup/-/issues/495\n"}