Lucene search
K

1312204 matches found

Hacker One
Hacker One
added 2 days ago8 views

curl: heap-use-after-free in curl_easy_cleanup() called from callback

Summary: Curlclose lib/url.c:214 calls curlmultiremovehandledata-multi, data and ignores the return value. When curleasycleanup is invoked from within a write/read/progress/header callback, multi-incallback is TRUE, so curlmultiremovehandle lib/multi.c:818-819 returns CURLMRECURSIVEAPICALL withou...

5.8AI score
Exploits0
Hacker One
Hacker One
added 3 days ago8 views

curl: libcurl upload read callbacks miss recursive API guard, allowing prohibited multi API reentry and ASAN-confirmed UAF

Summary: Several libcurl upload read callback paths invoke the application-provided CURLOPTREADFUNCTION without marking the easy handle as being inside a callback. As a result, recursive multi APIs that are correctly rejected from ordinary callbacks are accepted from these upload read callback...

6AI score
Exploits0
Hacker One
Hacker One
added 3 days ago9 views

curl: setopt(VERIFYPEER) from callback bypasses TLS verify on connection reuse

Summary: Curlsslconnconfigupdate overwrites conn-sslconfig.verifypeer when curleasysetoptCURLOPTSSLVERIFYPEER, ... is called, with no handshake-state guard — only ifdata-conn. Since setopt is documented as callable from callbacks setopt.c:2930, an application can connect with verifypeer=0 accepti...

5.8AI score
Exploits0
Hacker One
Hacker One
added 3 days ago8 views

curl: CURLSHOPT_UNSHARE race can cause UAF in shared SSL session cache during HTTPS transfer

Summary CURLSHOPTUNSHARE can free a shared SSL session cache while another thread is starting a normal HTTPS transfer with the same share handle. The failing transfer reaches the cache through curleasyperform, during the OpenSSL handshake. libcurl appears to try to reject this kind of lifetime...

5.9AI score
Exploits0
Hacker One
Hacker One
added 6 days ago9 views

curl: ssh_config_matches is dead code: unauthorized SSH key reuse

Summary libcurl's SSH connection-reuse guard sshconfigmatches — added for CVE-2022-27782 and reaffirmed by CVE-2023-27538 — is dead code in every release since 7.83.1. It compares sshc-rsa / sshc-rsapub between a new transfer "needle" and a pooled connection, but on both sides those pointers are...

7.7CVSS6.7AI score0.02596EPSS
Exploits2
Hacker One
Hacker One
added 6 days ago16 views

curl: mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0

Summary When an application sets CURLOPTSSLVERIFYPEER=0 while keeping CURLOPTSSLVERIFYHOST=2 the default, the mbedTLS, wolfSSL, and rustls TLS backends silently skip the hostname-vs-certificate check. The OpenSSL, GnuTLS, and Schannel backends correctly preserve hostname checking under the same...

5.9AI score
Exploits0
Hacker One
Hacker One
added last week16 views

curl: UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback

Summary: The CVE-2026-9080 fix re-fetches the shentry after the socket callback inside mevshentryupdate, because curleasypause called from that callback re-enters mevassess and can free the entry. The same re-fetch was not applied at the caller, mevpollsetdiff, which dereferences its own entry...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/25 7:56 a.m.8 views

curl: Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080)

Summary libcurl's event interface lets the application's socket callback CURLMOPTSOCKETFUNCTION call curleasypause. CVE-2026-9080 was issued for a use-after-free that this triggers, and the fix added a post-callback re-fetch of the socket-hash entry in the UPDATE leg mevshentryupdate,...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/25 7:5 a.m.8 views

curl: CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection

Summary The CURLOPTHAPROXYCLIENTIP option accepts an arbitrary string without validating that it is a valid IP address, and without stripping special characters such as \r\n CRLF or spaces. Because this value is embedded directly into the HAProxy PROXY protocol v1 header line, an attacker who can...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/06/22 3:21 p.m.26 views

Node.js: Node --run POSIX positional argument escaping allows shell command injection

Summary Node.js node --run -- attempts to append positional arguments to a package script after escaping each argument for the shell. On POSIX platforms, the escaping logic handles single quotes incorrectly. A positional argument containing a single quote can break out of the intended quoted...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/20 9:49 a.m.3 views

Nintendo: [Splatoon 3] Kick other players with NplnLogin message

A vulnerability was discovered that allowed players to kick other players from a Splatoon 3 game using an NplnLogin message...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/15 9:56 p.m.26 views

curl: Vulnerability Report: Buffer Overflow in Path Sanitization

Vulnerability Report: Buffer Overflow in Path Sanitization Summary Multiple buffer overflow vulnerabilities exist in the src/tooldoswin.c file due to insufficient bounds checking and improper memory management in path sanitization functions. Affected Components - sanitizefilename line 180 -...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/15 11:37 a.m.100 views

curl: Secure cookies leaked to HTTP origins through HTTPS forwarding proxy

Summary: When curl accesses an http:// origin through an HTTPS forwarding proxy, it sends Secure cookies in the request. The cookies travel in cleartext between the proxy and the origin server, visible to the proxy operator and anyone on that network path. curl also reports CURLINFOSCHEME as...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/06/15 12:13 a.m.30 views

curl: verify-release rebuilds from the tarball under verification, enabling pre-check command execution and false OK for a malicious curl release tarball

Summary: scripts/verify-release is documented as a way to independently verify a downloaded curl release tarball, but on curl-8.20.0 it extracts the tarball under verification and executes ./configure and ./scripts/dmaketgz before any trust decision is made. This creates a circular trust failure:...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/12 2:55 a.m.14 views

curl: CVE-2026-12064: proto-default skips SSH verification

Summary When a user invokes curl with a schemeless URL and --proto-default sftp or scp, the tool layer guesses the URL is HTTP and skips setting SSH security options CURLOPTSSHHOSTPUBLICKEYSHA256, CURLOPTSSHKNOWNHOSTS. However libcurl's runtime correctly applies --proto-default and connects via...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/06/11 8:27 a.m.20 views

curl: Duplicate chunked Transfer-Encoding lets a malicious origin smuggle a response across reused HTTP proxy connections

TL;DR A malicious HTTP origin can send Transfer-Encoding: chunked, chunked, gzip through a reusable HTTP proxy connection to bypass curl's "chunked must be last" guard, queue a forged HTTP response after its own response, and make curl parse that queued data as the response for a later request to...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/06/10 7:54 a.m.28 views

curl: Incomplete Suppression of Transfer-Encoding: chunked Header in HTTP/2 After Redirect From HTTP/1.1

When curl send a request with Transfer-Encoding: chunked using HTTP/1.1, and follows a redirect to an HTTP/2 endpoint, the uploadchunky flag is not properly reset. As a result, the Transfer-Encoding: chunked header is sent in the subsequent request even when HTTP/2 is negotiated/used. This violat...

5.3AI score
Exploits0
Hacker One
Hacker One
added 2026/06/10 5:0 a.m.7 views

curl: CVE-2026-11856: cross-origin Digest auth state leak

Summary: This issue is the HTTP sibling to the previously disclosed RTSP Digest auth leak. When an application uses libcurl and reuses the same easy handle for sequential transfers the documented best practice, the Digest authentication state captured from the first origin is silently sent to the...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/06/10 4:40 a.m.8 views

Revive Adserver: Reflected XSS in stats‑video.php via improperly encoded URL parameters

A reflected XSS vulnerability was discovered in the stats‑video.php script due to improper encoding of user input in the URL parameters...

6.1CVSS5.8AI score0.00224EPSS
Exploits0
Hacker One
Hacker One
added 2026/06/09 2:20 a.m.14 views

curl: Trailing-Dot Hostname in Redirect Silently Strips Client Certificate and Auth Credentials

Summary When curl follows a redirect where the Location header contains a hostname with a trailing dot e.g., https://example.com./path, Curlpeerequal in peer.c:321-330 compares the original hostname example.com against the redirect target example.com. using curlstrequal, which does not normalize...

5.7CVSS6.6AI score0.01595EPSS
Exploits1
Rows per page
Query Builder