CVE-2026-50019

Summary of CVE-2026-50019 (yt-dlp) : When curl is used as an external downloader, yt-dlp may leak cookies to unintended hosts during HTTP redirects or when the host for download fragments differs from the manifest. At the file-download stage, cookies are passed via --cookie; unless cookies are lo...

EUVD-2026-38497

yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. At the file downloa...

yt-dlp: File Downloader cookie leak with curl

Summary If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. This is the equivalent to GHSA-v8mc-9377-rwjj for the curl downloader. The vulnerable behavior is...

Siemens SIMATIC S7-1500 Missing Encryption of Sensitive Data (CVE-2022-27779)

libcurl wrongly allows cookies to be set for Top Level Domains TLDs if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's cookie engine can bebuilt with or without Public Suffix Listawareness. If PSL support not provided, a more rudimentary check...

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.

...