CURL-CVE-2026-11352 QUIC zero-length UDP datagrams busy-loop

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can...

JLSEC-2026-420 When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could...

When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare...

JLSEC-2026-411 This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back...

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a...

CVE-2025-15224

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent...

EUVD-2016-9468

Malware in sbrugna...

EUVD-2016-9465

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2016-8616

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existi...

Linux Distros Unpatched Vulnerability : CVE-2016-8623

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure...

CVE-2024-11053

A flaw was found in curl. A logic error when processing credentials from the .netrc file while performing redirects allows the transfer of credentials from the original host to the followed-to host under certain circumstances, leaking the credentials to the followed-to host. Mitigation Avoid usin...

curl: TLS certificate check bypass with mbedTLS

A flaw was found in curl. When curl is built to use mbedTLS as the TLS backend, it does not check the server certificate of TLS connections done to a host specified as an IP address...

curl: Usage of disabled protocol

A flaw was found in curl. When a protocol selection parameter disables all protocols without adding any, the default set of protocols remains in the allowed set due to a logic error, allowing usage of disabled protocols...

Low: curl

Issue Overview: A flaw was found in Curl, where it inadvertently kept the SSL session ID for connections in its cache even when the verify status, OCSP stapling test, failed. A subsequent transfer to the same hostname could succeed if the session ID cache were still fresh, which then skips the...

curl: FTP too eager connection reuse

A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic...

curl: cookie injection with none file

A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met...

curl: out of heap memory issue due to missing limit on header quantity

A flaw was found in the Curl package. Curl allows a malicious server to stream an endless series of headers to a client due to missing limit on header quantity, eventually causing curl to run out of heap memory, which may lead to a crash...

DEBIAN-CVE-2023-46218

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a...

curl: cookie injection with none file

A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met...

curl: GSS delegation too eager connection re-use

A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, the GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting...

curl: IDN wildcard match may lead to Improper Cerificate Validation

A flaw was found in the Curl package. An incorrect International Domain Name IDN wildcard match may lead to improper certificate validation...

curl: HTTP multi-header compression denial of service

A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors...