20 matches found
EUVD-2026-41507
When asking curl to use a .netrc file to find credentials and at the same time specifying a URL with a usernamewithout a password, like https://[email protected]/, curl could wrongly get and use the password for another user set in the .netrc file for that host if such a one exists and there is no...
curl: mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0
Summary When an application sets CURLOPTSSLVERIFYPEER=0 while keeping CURLOPTSSLVERIFYHOST=2 the default, the mbedTLS, wolfSSL, and rustls TLS backends silently skip the hostname-vs-certificate check. The OpenSSL, GnuTLS, and Schannel backends correctly preserve hostname checking under the same...
CVE-2026-7009 OCSP stapling bypass with Apple SecTrust
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine...
PT-2026-35897
Name of the Vulnerable Software and Affected Versions curl affected versions not specified Description When using the Certificate Status Request TLS extension, commonly known as OCSP stapling, to verify server certificate validity, the software fails to detect OCSP problems and incorrectly treats...
CVE-2026-4587 HybridAuth SSL Curl.php certificate validation
A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...
Tenable Security Center Multiple Vulnerabilities (TNS-2026-06)
According to its self-reported version, the Tenable Security Center running on the remote host prior or equal to 6.7.2 and missing relevant patches. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2026-06 advisory. - In PHP versions:8.1. before 8.1.34, 8.2. before...
EulerOS 2.0 SP11 : curl (EulerOS-SA-2025-2478)
According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : 1. A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to speak with http://target same hostname,...
EUVD-2021-7242
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2025-8030
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient escaping in the Copy as cURL feature could potentially be used to trick a user into executing unexpected code. This vulnerability was fixed in...
curl: curl ASSERTs when accessing an LDAP URL
Summary: curl can crash when accessing an LDAP URL. curl ldap://localhost:1388 curl: result.c:930: tryread1msg: Assertion !BERBVISEMPTY &resoid ' failed. Aborted core dumped No AI was used in the production of this report. This was enabled by oss-fuzz, but initiated by me adding LDAP support to...
Linux Distros Unpatched Vulnerability : CVE-2023-46219
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS...
Medium: curl
Issue Overview: When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform...
curl: When curl uses Schannel as TLS backend, it fails to enforce TLS 1.3 cipher suite selections correctly
Vulnerability description not provided...
UBUNTU-CVE-2024-2004
When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been...
OESA-2023-1959 curl security update
cURL is a computer software project providing a library libcurl and command-line tool curl for transferring data using various protocols. Security Fixes: When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file...
AZL-32125 CVE-2023-46219 affecting package mysql for versions less than 8.0.40-1
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use...
AZL-35020 CVE-2023-46219 affecting package mysql for versions less than 8.0.40-1
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use...
SUSE-SU-2023:4659-1 Security update for curl
This update for curl fixes the following issues: - CVE-2023-46218: Fixed cookie mixed case PSL bypass bsc1217573. - CVE-2023-46219: HSTS long file name clears contents bsc1217574...
SUSE-SU-2021:1396-1 Security update for curl
This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials bsc1183933...
UBUNTU-CVE-2020-8177
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used...