curl: Shared HSTS cache accessed without lock

This is finding F5 in Andrew's report https://github.com/curl/curl/blob/455bebc2c7/lib/hsts.cL160-L168 https://github.com/curl/curl/blob/455bebc2c7/lib/http.cL3571 https://github.com/curl/curl/blob/455bebc2c7/lib/url.cL1441 https://github.com/curl/curl/blob/455bebc2c7/lib/url.cL265...

curl: CURLOPT_PROXY_CRLFILE / CURLOPT_PROXY_ISSUERCERT / CURLOPT_PROXY_ISSUERCERT_BLOB silently ignored on backends that don't support them

From the Mythos report 2026-05-06 F1. CURLOPTPROXYCRLFILE / CURLOPTPROXYISSUERCERT / CURLOPTPROXYISSUERCERTBLOB silently ignored on backends that don't support them — severity Low https://github.com/curl/curl/blob/455bebc2c7/lib/setopt.cL1786-L1797...

curl: mbedTLS private-key blob null-termination asymmetry in lib/vtls/mbedtls.c (mbed_load_privkey)

Summary: In lib/vtls/mbedtls.c, function mbedloadprivkey lines 653-738 passes raw sslkeyblob-data and sslkeyblob-len directly to mbedtlspkparsekey at lines 706-708 mbedTLS 4.x branch and 718-722 mbedTLS 3.x branch, without ensuring null-termination. The mbedTLS API contract for mbedtlspkparsekey...

PortSwigger Web Security: UI Consent Bypass via Comma Injection in `addAutoApproveTarget` — User-Approval Dialog and Persistence Layer Disagree on Target Scope, Yielding Authen

A vulnerability was discovered in Burp Suite MCP Server BApp v1.2.1 where the addAutoApproveTarget function failed to validate the hostnames passed to it. This allowed a malicious MCP client to inject a comma-separated hostname, which was then persisted as multiple independent allow-list entries...

Rocket.Chat: IDOR: autotranslate.translateMessage Full Message Content Leak

The /api/v1/autotranslate.translateMessage endpoint allowed any authenticated user to retrieve the full content of any message from any room, including private groups, direct messages, and channels. The endpoint fetched the message without performing a room access check, returning the complete...

curl: MQTT CONNACK Packet Type Bypass leads to RCE via Malicious Broker

Summary: mqttverifyconnack in lib/mqtt.c never checks that the received packet type is actually a CONNACK 0x20. The constant MQTTMSGCONNACK is commented out at line 45, making the check impossible to write. A malicious broker can send any packet — e.g. PUBACK 0x40 — with remaininglength=2 and...

PortSwigger Web Security: Burp Suite Professional: browser-powered crawl can write attacker-controlled files through file input handling

A vulnerability was discovered in Burp Suite Professional 2026.3.3 on Windows. When Burp Scanner's browser-powered crawler crawled an attacker-controlled website, the website could force Burp to write an attacker-controlled file to an attacker-controlled local path. The issue was caused by Burp's...

curl: Potential Resource Leak in tool_parsecfg.c at line 279 during fileerror

Summary: A resource leak was identified in src/toolparsecfg.c using the Clang Static Analyzer. When a file error occurs fileerror is true during config parsing, the function returns PARAMREADERROR without ensuring the file stream is properly closed, leading to a potential file descriptor leak...

curl: wcurl treats some URL operands after -- as curl options

I found that wcurl does not always keep operands after -- in a pure URL-data context. The documented way to pass curl options through wcurl is --curl-options, but a value supplied as a URL operand can still reach the final curl command as an option, for example wcurl -- "--url=file:///...". A...

curl: libcurl 8.20.0 incomplete fix for CVE-2026-7168: changing only CURLOPT_PROXYPORT leaks stale Proxy Digest auth to a different proxy

Summary: I found an incomplete-fix variant of CVE-2026-7168 in curl 8.20.0. The 8.20.0 fix clears state.proxydigest / state.authproxy when CURLOPTPROXY changes, but not when only CURLOPTPROXYPORT changes. On the same easy handle, request 1 through proxyA CURLOPTPROXYPORT=18197 learns Proxy Digest...

curl: MQTT state machine confusion: PINGRESP/DISCONNECT with non-zero remaining_length dispatches to stale nextstate

Summary: In lib/mqtt.c, the state machine in mqttdoing lines 894-911 in curl 8.20.0 does not validate that PINGRESP 0xD0 and DISCONNECT 0xE0 packets have remaininglength == 0 as required by MQTT 3.1.1 spec sections 3.13.1 and 3.14.1. A malicious broker can send a PINGRESP fixed header with non-ze...

Tor: Malicious Conflux Endpoint Can Leave Stale Global OOO Queue Accounting After Teardown

A vulnerability was discovered in Tor's Conflux OOO queue accounting. The vulnerability could cause the global OOO queue byte counter to remain inflated after a Conflux set was torn down, even though the memory had already been freed. This was due to a lack of accounting updates during the teardo...

curl: CVE-2026-7168: cross-proxy Digest auth state leak

Summary: On libcurl 8.19.0, Proxy Digest state learned from proxyA survives an independent transfer boundary on a reused easy handle and is emitted preemptively to proxyB when the proxy is changed. In the attached C PoC, the first CONNECT to proxyB carries Proxy-Authorization: Digest ... built fr...

Shopify: Missing HMAC validation on /uninstall webhook in Shopify/sample-django-app reference template

Repository: https://github.com/Shopify/sample-django-app Description The /uninstall webhook endpoint in sample-django-app processes incoming requests without verifying the X-Shopify-Hmac-Sha256 header. Shopify explicitly requires this validation as a mandatory security measure for all webhook...

curl: CVE-2026-7009: OCSP stapling bypass with Apple SecTrust

Summary When curl is built with --with-apple-sectrust or -DUSEAPPLESECTRUST=ON and OpenSSL, the --cert-status / CURLOPTSSLVERIFYSTATUS option is silently bypassed when Apple SecTrust handles certificate chain verification instead of OpenSSL. The user explicitly requests OCSP stapling enforcement,...

HackerOne: Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql

The GraphQL query on hackerone.com/graphql allowed authenticated users to execute arbitrary Painless scripts through the sortquery argument, without server-side validation or allowlisting. This was confirmed by submitting requests with different Painless script payloads, and observing that the...

Brave Software: iOS Brave Playlist "Open in Private Tab" bypasses FaceID requirement for Private Tabs

A vulnerability was discovered in the Brave browser for iOS where adding or opening a song in the Brave playlist and holding for the "Open in new Private Tab" option bypassed the Face ID or passcode requirement for accessing Private Tabs. This affected Brave iOS version 1.88 and iOS version 26.4....

Node.js: Permission Model Bypass via `process.report.writeReport()` Path Misvalidation

A flaw was discovered in the Node.js permission model that allowed bypassing of security controls via the process.report.writeReport path misvalidation...

Rocket.Chat: Unauthenticated reading of every file via livechat auth and predicting MongoDB ObjectId()

Vulnerability description not provided...

curl: Heap-buffer-overflow in `Curl_ssl_push_certinfo_len()` — sole bounds check is `DEBUGASSERT`

Summary Curlsslpushcertinfolen in lib/vtls/vtls.c uses DEBUGASSERTcertnum numofcerts as its only bounds check before writing a heap pointer into ci-certinfocertnum. DEBUGASSERT is a no-op in every release/production build lib/curlsetup.h:1084. Any mismatch between the count passed to...