Lucene search
K

1312207 matches found

Hacker One
Hacker One
added 2026/06/02 9:49 a.m.24 views

curl: RTSP Digest auth state leaks across origins on reused libcurl easy handle

Summary When a reused libcurl easy handle first authenticates to one RTSP origin with Digest authentication and is then switched to a different RTSP origin, libcurl can send the old origin's Digest authentication state to the new origin. The second RTSP server does not need to send a...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/02 9:6 a.m.22 views

curl: TFTP upload ignores --continue-at / CURLOPT_RESUME_FROM and leaks skipped local file prefix

Summary TFTP uploads ignore the configured resume offset. When a caller runs curl -C N -T file tftp://... or uses libcurl with CURLOPTUPLOAD and CURLOPTRESUMEFROM, curl should skip the first N bytes of the local source before uploading. Instead, the TFTP code sends the complete local file from by...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/01 5:41 p.m.17 views

PortSwigger Web Security: Incomplete fix for CVE-2022-35406: meta-redirect content-type check bypassable via parameter injection

The fix for CVE-2022-35406 1541301 stops Burp from following a redirect when the response Content-Type/Content-Disposition would prevent HTML rendering. The check substring-matches html in the raw Content-Type instead of parsing the media type. A text/plain response can smuggle the token via a...

4.3CVSS5.8AI score0.00623EPSS
Exploits0
Hacker One
Hacker One
added 2026/06/01 3:28 p.m.31 views

curl: libcurl 8.20.0 ignores HTTP Digest domain protection space and preemptively leaks Digest auth outside the declared scope

Summary: libcurl 8.20.0 ignores the server-declared HTTP Digest domain protection space for origin authentication and reuses stored Digest state too broadly on the same easy handle. After a successful Digest-authenticated request, a later request on the same easy handle can receive a preemptive...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/01 8:53 a.m.15 views

curl: heap-use-after-free in state.referer when CURLOPT_REFERER replaced or cleared after perform

Calling curleasysetoptcurl, CURLOPTREFERER, ... to replace or clear a previously-set referer after curleasyperform frees the old string via Curlsetstropt lib/setopt.c:87 but leaves data-state.referer.ptr pointing at the freed heap region. curleasygetinfoCURLINFOREFERER and curleasyduphandle then...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2026/05/31 5:50 p.m.21 views

curl: curl/libcurl 8.20.0 NOPROXY bypass via uppercase-hex IPv4 aliases leaks off-proxy Basic credentials to the configured proxy

Summary: curl/libcurl 8.20.0 fails to enforce CURLOPTNOPROXY, --noproxy, and NOPROXY consistently for uppercase-hex IPv4 aliases such as 0X7f.1 on glibc-based systems that accept these legacy numeric IPv4 forms. When a canonical IP literal is excluded from proxying, curl sends the canonical form...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/30 7:56 a.m.18 views

curl: SMTP connection reuse ignores --ssl-reqd / CURLOPT_USE_SSL and reuses a clear-text STARTTLS session on current master

Summary: Current master reintroduces a STARTTLS connection-reuse bug in SMTP. After commit 91dcf4e610 url: urlmatchdestination fix, curl/libcurl can reuse an already-established clear-text smtp:// session for a later logical request that explicitly requires TLS via --ssl-reqd or CURLOPTUSESSL =...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/29 9:18 a.m.22 views

curl: Low priority HSTS bypass in curl_easy_duphandle()

Summary: curleasyduphandle creates a fresh HSTS store for the cloned handle and populates it from the configured files and callbacks, but never copies entries acquired from Strict-Transport-Security response headers during the parent's lifetime. This means the client using a cloned handle may...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/28 6:53 p.m.20 views

curl: Proxy CONNECT response poisoning via authentication retry in cf-h1-proxy.c (libcurl)

Summary: When an HTTP/1.x proxy returns a 407 with no Content-Length and no chunked transfer-encoding, lib/cf-h1-proxy.c singleheader sets ts-keepon = KEEPONDONE but never sets ts-closeconnection = TRUE. Because ts-closeconnection and conn-bits.close both stay false, the CONNECT tunnel state...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/28 9:34 a.m.3 views

Yelp: Yelp for Business: locked Email field silently editable via API

The Yelp Biz Android app's Account Information screen was found to have a vulnerability where the email field was presented as read-only with a lock icon, but could be silently modified via the API endpoint POST /account/info/bio/v1. The change was reflected immediately in the app's user interfac...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/28 8:54 a.m.24 views

curl: curl External-Controlled Filename in `--url @file` Leads to Arbitrary File Overwrite

Vulnerability Report: curl External-Controlled Filename in --url @file Leads to Arbitrary File Overwrite 1. Product Overview curl is a widely used command-line tool and library libcurl for transferring data with URL syntax across multiple protocols such as HTTP, HTTPS, and FTP. It is preinstalled...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/28 3:28 a.m.15 views

curl: CURLOPT_COOKIE leaked to cross-origin redirect target — CURLOPT_UNRESTRICTED_AUTH bypass for the STRING_COOKIE path

Summary: httpcookies at lib/http.c:2532-2534 appends the value of CURLOPTCOOKIE the cookie supplied via -b to outgoing Cookie: headers without invoking Curlauthallowedtohost. As a result, when CURLOPTFOLLOWLOCATION is enabled and the initial origin issues a cross-origin redirect open redirector,...

5.7CVSS6.7AI score0.01595EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/26 5:19 a.m.20 views

curl: Mentioned unites are at the same time .Then we have to increase the bounty.

Summary: Once you done with the coding then we have to increase the bounty and then write the reviwe on the same Once we find the error then we have to submit the margin and find the events Affected version Use a language that is not susceptible to these issues. However, be careful of null byte...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/26 2:47 a.m.89 views

curl: TLS conn reuse and session cache ignore fsslctx callback and ssl_config_data flags ( incomplete fix variant of 7541ae569 )

Summary matchsslprimaryconfig in lib/vtls/vtls.c:194 and the session-cache key built by cfsslpeerkeybuild in lib/vtls/vtlsscache.c:240 both compare only struct sslprimaryconfig fields when deciding whether to reuse a TLS connection or cached session. Several fields that materially change the TLS...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/25 8:37 a.m.8 views

Node.js: Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS)

Vulnerability description not provided...

7.5CVSS5.8AI score0.02445EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/23 12:20 p.m.24 views

curl: lib/ldap.c follows attacker-controlled LDAP referrals and binds to a second server; WinLDAP builds leak current logon credentials (confirmed on Window

Summary: curl's generic LDAP backend lib/ldap.c does not disable automatic LDAP referral chasing, unlike lib/openldap.c, which explicitly sets LDAPOPTREFERRALS to LDAPOPTOFF. As a result, a malicious first-hop LDAP server can return a referral to an attacker-controlled second LDAP server and caus...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/22 3:13 a.m.7 views

curl: CVE-2026-9546: sending old referer

Summary: libcurl documents that CURLOPTREFERER can be set to NULL to disable the Referer header again, but doing so after a transfer does not clear the cached per-handle referer state. As a result, the next HTTP request on the same easy handle can still send the previous request's Referer: value ...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/21 10:58 a.m.6 views

curl: CVE-2026-9545: exposing HTTP/3 early data

Summary: When the ngtcp2 HTTP/3 backend reuses a TLS session that advertises early data support, cfngtcp2onsessionreuse initializes the HTTP/3 connection state and marks the connection filter as connected before the new QUIC/TLS handshake has completed. The request send path can then reach...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/05/21 7:5 a.m.44 views

curl: curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication

Summary: When curl/libcurl is built with the GnuTLS backend, the current HTTPS server-certificate validation path verifies the trust chain and hostname but does not enforce TLS server Extended Key Usage semantics. As a result, a leaf certificate that chains to a trusted CA, matches the requested...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/21 6:31 a.m.28 views

Node.js: Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)

I discovered a memory corruption vulnerability in Node.js's native UTF-8 string decoding path src/stringbytes.cc. When Buffer.prototype.toString'utf8' is called on a Buffer backed by a SharedArrayBuffer, the underlying native code performs a validate-then-convert sequence without copying the data...

6.4AI score
Exploits0
Rows per page
Query Builder