Lucene search
+L

10321 matches found

Cvelist
Cvelist
added 2026/07/03 6:15 a.m.51 views

CVE-2026-8926 password leak with netrc and user in URL

When asking curl to use a .netrc file to find credentials and at the same time specifying a URL with a usernamewithout a password, like https://[email protected]/, curl could wrongly get and use the password for another user set in the .netrc file for that host if such a one exists and there is no...

0.0061EPSS
Exploits1References3
EUVD
EUVD
added 2026/07/03 6:15 a.m.10 views

EUVD-2026-41507

When asking curl to use a .netrc file to find credentials and at the same time specifying a URL with a usernamewithout a password, like https://[email protected]/, curl could wrongly get and use the password for another user set in the .netrc file for that host if such a one exists and there is no...

6AI score0.0061EPSS
Exploits1References3
CVE
CVE
added 2026/07/03 6:15 a.m.42 views

CVE-2026-8926

CVE-2026-8926 affects curl when using a .netrc file for credentials while the URL contains a username (no password). The vulnerability can cause curl to fetch and use the password of another user for the same host if a matching host exists in .netrc, leading to credential disclosure. The issue is...

9.1CVSS6AI score0.0061EPSS
Exploits1References3Affected Software1
AlpineLinux
AlpineLinux
added 2026/07/03 6:15 a.m.8 views

CVE-2026-8926

When asking curl to use a .netrc file to find credentials and at the same time specifying a URL with a usernamewithout a password, like https://[email protected]/, curl could wrongly get and use the password for another user set in the .netrc file for that host if such a one exists and there is no...

9.1CVSS6AI score0.0061EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/07/03 6:15 a.m.61 views

CVE-2026-8925 SASL double-free

The curl logic that works with SASL authentication could end up cleaning up the GSASL context twice without clearing the pointer in between, making it free the same pointer twice...

0.0108EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/07/03 6:15 a.m.11 views

CVE-2026-8925

The curl logic that works with SASL authentication could end up cleaning up the GSASL context twice without clearing the pointer in between, making it free the same pointer twice...

5.9AI score0.0108EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/07/03 6:15 a.m.8 views

EUVD-2026-41506

The curl logic that works with SASL authentication could end up cleaning up the GSASL context twice without clearing the pointer in between, making it free the same pointer twice...

5.9AI score0.0108EPSS
Exploits1References3
OSV
OSV
added 2026/07/03 6:15 a.m.3 views

CVE-2026-8925 SASL double-free

The curl logic that works with SASL authentication could end up cleaning up the GSASL context twice without clearing the pointer in between, making it free the same pointer twice...

9.8CVSS6.1AI score0.0108EPSS
Exploits1References5
CVE
CVE
added 2026/07/03 6:15 a.m.23 views

CVE-2026-8925

CVE-2026-8925 affects curl with SASL authentication. The issue is a double-free: the GSASL context can be cleaned up twice without clearing the pointer, potentially freeing the same pointer twice. This vulnerability is present in curl versions prior to 8.21.0 (e.g., 8.15.0), and remote exploitati...

9.8CVSS5.9AI score0.0108EPSS
Exploits1References3Affected Software1
AlpineLinux
AlpineLinux
added 2026/07/03 6:15 a.m.7 views

CVE-2026-8925

The curl logic that works with SASL authentication could end up cleaning up the GSASL context twice without clearing the pointer in between, making it free the same pointer twice...

9.8CVSS5.9AI score0.0108EPSS
Exploits1References3
EUVD
EUVD
added 2026/07/03 6:15 a.m.7 views

EUVD-2026-41505

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...

6AI score0.00649EPSS
Exploits1References3
CVE
CVE
added 2026/07/03 6:15 a.m.33 views

CVE-2026-8924

CVE-2026-8924 – curl cookie parsing flaw. The vulnerability arises from curl’s cookie parsing logic, enabling a malicious HTTP server to set ‘super cookies’ that bypass the Public Suffix List check. This allows an attacker-controlled origin to inject cookies that curl subsequently scopes and tran...

9.1CVSS6AI score0.00649EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/07/03 6:15 a.m.78 views

CVE-2026-8924 trailing dot domain super cookie

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...

0.00649EPSS
Exploits1References3
AlpineLinux
AlpineLinux
added 2026/07/03 6:15 a.m.7 views

CVE-2026-8924

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...

9.1CVSS6AI score0.00649EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/07/03 6:13 a.m.14 views

CVE-2026-12064

When a user invokes curl using a schemeless URL combined with --proto-default sftp or scp, a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like...

6AI score0.00574EPSS
Exploits1References4Affected Software1
AlpineLinux
AlpineLinux
added 2026/07/03 6:13 a.m.15 views

CVE-2026-12064

When a user invokes curl using a schemeless URL combined with --proto-default sftp or scp, a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like...

7.5CVSS6AI score0.00574EPSS
Exploits1References3
EUVD
EUVD
added 2026/07/03 6:13 a.m.7 views

EUVD-2026-41500

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages...

6AI score0.0086EPSS
Exploits1References3
OSV
OSV
added 2026/07/03 6:13 a.m.4 views

CVE-2026-11586 WS Auto-PONG memory exhaustion

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages...

7.5CVSS6.1AI score0.0086EPSS
Exploits1References5
CVE
CVE
added 2026/07/03 6:13 a.m.70 views

CVE-2026-11586

CVE-2026-11586 : curl is vulnerable to memory exhaustion via WebSocket PING handling. The description across sources states that curl automatically responds to WebSocket PING frames and lacks an upper bound on memory allocation for unacknowledged frames, enabling a malicious server to flood curl ...

7.5CVSS6AI score0.0086EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/07/03 6:13 a.m.37 views

CVE-2026-11586 WS Auto-PONG memory exhaustion

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages...

0.0086EPSS
Exploits1References3
Rows per page
Query Builder