Lucene search
K

1312215 matches found

Hacker One
Hacker One
added 2026/05/14 11:47 a.m.11 views

curl: CVE-2026-8925: SASL double-free

Hi all, We found a double-free in the GSASL authentication path — Curlauthgsaslissupported frees gsasl-ctx on a failed gsaslclientstart but never nulls the pointer, and then Curlauthgsaslcleanup frees it again unconditionally at connection teardown. The bug lives in two spots...

9.8CVSS5.9AI score0.0108EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/14 11:38 a.m.8 views

curl: CVE-2026-8926: password leak with netrc and user in URL

Hey all, Before the following report, I just want to point to a comment from our scanner, where it seems it was already picked up but it was dismissed and the PR was closed later by another commit - https://github.com/curl/curl/pull/20932issuecomment-4072903895 Nonetheless, it appears this issue...

9.1CVSS5.8AI score0.0061EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/14 11:36 a.m.21 views

curl: HTTPS proxy connection reuse lets one easy handle inherit another handle's mTLS-authenticated proxy session

Summary: libcurl can reuse an already mTLS-authenticated HTTPS proxy TLS connection for a different easy handle even when that second handle does not have the proxy private key required to establish the session itself. The issue happens because the HTTPS proxy connection reuse identity does not...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 11:36 a.m.26 views

curl: CURLOPT_PROXY_CAINFO_BLOB silently activates native CA store on Apple builds

Hi all, CURLOPTPROXYCAINFOBLOB introduced 7.77.0 never sets proxyssl.customcablob. On USEAPPLESECTRUST / CURLCANATIVE builds this causes curl to silently fall back to the system keychain for proxy TLS verification, nullifying the caller's blob-only trust policy. --- Root cause lib/setopt.c handle...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 11:14 a.m.25 views

curl: libssh SFTP initialization ignores CURLOPT_TIMEOUT, hangs indefinitely

Hi all, The libssh backend in lib/vssh/libssh.c ignores CURLOPTTIMEOUT / --max-time during SFTP subsystem negotiation. A server that completes SSH authentication and then stalls before answering the SSHFXPINIT packet will pin the curl process indefinitely — no timeout fires, no error is returned,...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 11:6 a.m.26 views

curl: Schannel custom-CA path skips Extended Key Usage enforcement

Hi all, We believe the Schannel custom-CA verification path in lib/vtls/schannelverify.c may skip Extended Key Usage enforcement. In particular, a certificate that chains to the trusted custom CA but contains only id-kp-clientAuth, rather than id-kp-serverAuth, may pass peer verification on Windo...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 10:48 a.m.34 views

curl: HTTP/3 paused transfer buffers incoming data without bound up to ~1 GiB

Hi all, When a libcurl application's CURLOPTWRITEFUNCTION returns CURLWRITEFUNCPAUSE, libcurl routes subsequent incoming body data through cw-pause lib/cw-pause.c. The bufq inside cw-pause is initialised with BUFQOPTSOFTLIMIT and a chunk size of 16 KiB lib/cw-pause.c:51-52, which causes bufq to...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 10:40 a.m.35 views

curl: rustls backend silently ignores CURLOPT_CRLFILE when native CA store is active

Hi all, When the rustls backend is configured to use the OS native CA store --ca-native / CURLSSLOPTNATIVECA, any CRL file supplied via --crlfile / CURLOPTCRLFILE is silently ignored. The option is accepted — CURLEOK from curleasysetopt, exit 0 from the command line — and revoked certificates pas...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 10:35 a.m.40 views

curl: Trailing-dot IPv4 URL bypasses IP-address guard, allows wildcard DNS SAN match

Hi all, Sorry to ruin anybody's day, but we've discovered another issue when it comes to dots. We've found a TLS certificate verification bypass that lets a trailing-dot IPv4 URL -- https://127.0.0.1./ -- pass peer authentication against a wildcard DNS SAN certificate such as DNS:.0.0.1. The IP...

4.3CVSS5.9AI score0.01118EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/14 7:47 a.m.20 views

Mozilla: Taskcluster web-server OAuth2 authorization codes are reusable and the exchange handler checks the wrong expiry column

The Taskcluster web-server's OAuth2 token-exchange handler did not consume authorization codes and did not enforce the authorization-code expiry. A leaked authorization code could be replayed to mint additional bridge access tokens for the original user, past the 10-minute window required by the...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 2:27 a.m.43 views

Rocket.Chat: Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check

Vulnerability description not provided...

7.5CVSS5.8AI score0.00283EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/13 11:33 p.m.42 views

curl: TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0

The now-well-known CURLOPTSSLVERIFYHOST-bypass-when-CURLOPTSSLVERIFYPEER=0 defect exists in three of curl's TLS backends: rustls EXPERIMENTAL, mbedTLS, and wolfSSL DNS hostnames only. The documented contract at docs/libcurl/opts/CURLOPTSSLVERIFYPEER.md:57-59: The check that the host name in the...

5.8CVSS6.5AI score0.04888EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/13 10:42 p.m.33 views

curl: HTTP/2 proxy CONNECT tunnel unbounded 1xx chain (missing Curl_bump_headersize cap in cf-h2-proxy.c)

A malicious HTTPS-on-HTTP/2 proxy can grow a libcurl client's resident set without bound during the CONNECT phase by streaming 1xx informational responses. The CVE-2023-38039 cap MAXHTTPRESPHEADERSIZE, 300 KiB, enforced through Curlbumpheadersize is not applied on the HTTP/2 proxy path. The HTTP/...

7.5CVSS6.6AI score0.62246EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/13 10:12 p.m.28 views

curl: HSTS multi-trailing-dot bypass-ish: possible incomplete fix for CVE-2022-30115

Hi all, Honestly, I'm not completely certain about this issue, but I think the CVE-2022-30115 fix "HSTS bypass via trailing dot" is incomplete: the same asymmetry exists for hostnames with two or more trailing dots, so http://example.com../ still gets sent in plaintext when there's a valid HSTS...

4.3CVSS6.8AI score0.01118EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/13 9:54 p.m.261 views

curl: Credentials forwarded to HTTP after HTTPS→HTTP same-port redirect — url_set_data_creds uses scheme-blind comparator

Hi all, The recent creds: hold credentials refactor — commit 8f71d0fde5 2026-05-11 https://github.com/curl/curl/commit/8f71d0fde5 — introduced a credential-leak regression on HTTPS→HTTP same-port redirects. -u user:pass and --oauth2-bearer both end up in cleartext after a 302 from https://h:N/ to...

5.7CVSS6.7AI score0.01595EPSS
Exploits2
Hacker One
Hacker One
added 2026/05/13 9:50 p.m.24 views

curl: CURLOPT_HSTS_CTRL disables shared HSTS without share guard — use-after-free and double-free

Hi all, CURLOPTHSTSCTRL set to a value without CURLHSTSENABLE unconditionally frees the easy's HSTS object — even when that object is shared via a CURLSH. The result is a use-after-free and a double-free on the shared 48-byte struct hsts block when the share or any other linked easy is later torn...

9.8CVSS6.7AI score0.03398EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/13 9:34 p.m.7 views

curl: CVE-2026-8932: incomplete mTLS config matching in conn reuse

Hi all, This report and my multiple subsequent ones may come as a surprise, as I was assured that curl now had zero vulnerabilities in it. Nonetheless, I think the CVE-2022-27782 fix "TLS and SSH connection too eager reuse", commit f18af4f874 2022-05-09, "tls: check more TLS details for connectio...

7.5CVSS6.6AI score0.02596EPSS
Exploits2
Hacker One
Hacker One
added 2026/05/13 9:30 p.m.7 views

curl: CVE-2026-8924: trailing dot domain super cookie

Summary: A PSL-enabled curl build rejects a canonical public suffix cookie such as Domain=co.uk, but accepts the trailing-dot variant Domain=co.uk. when the request host also uses a trailing dot. In the reproduced case, a response from foo.co.uk. sets Set-Cookie: trail=1; Domain=co.uk.; Path=/, a...

9.1CVSS5.8AI score0.00649EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/10 11:9 p.m.27 views

curl: Kerberos/SPNEGO Connection Reuse Vulnerability

Kerberos/SPNEGO Connection Reuse Vulnerability in curl Summary curl reuses HTTP connections across different users without checking Kerberos state. User B's request can inherit User A's GSS security context, allowing authentication bypass. Affected Versions All curl versions with Kerberos support...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/09 6:25 p.m.17 views

Khan Academy: 1-Click Account Takeover via Open Redirect through Regex Bypass in Domain Validation

A vulnerability was discovered in the Khan Academy platform that allowed an attacker to achieve full account takeover of any user. The vulnerability was caused by an unescaped dot flaw in the regular expression used to validate redirect URLs. This allowed the attacker to register a malicious doma...

5.9AI score
Exploits0
Rows per page
Query Builder