Lucene search
K

1312213 matches found

Hacker One
Hacker One
added 2026/05/21 7:5 a.m.47 views

curl: curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication

Summary: When curl/libcurl is built with the GnuTLS backend, the current HTTPS server-certificate validation path verifies the trust chain and hostname but does not enforce TLS server Extended Key Usage semantics. As a result, a leaf certificate that chains to a trusted CA, matches the requested...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/21 6:31 a.m.28 views

Node.js: Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)

I discovered a memory corruption vulnerability in Node.js's native UTF-8 string decoding path src/stringbytes.cc. When Buffer.prototype.toString'utf8' is called on a Buffer backed by a SharedArrayBuffer, the underlying native code performs a validate-then-convert sequence without copying the data...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2026/05/20 7:43 p.m.36 views

curl: Heap-OOB read in urlapi `redirect_url()` via `CURLU_GUESS_SCHEME` + `CURLU_NO_GUESS_SCHEME` flow

Hi all, We've found an issue in lib/urlapi.c where redirecturl reads past the end of a heap buffer when the source URL it operates on lacks a "scheme://" prefix. This is reachable through documented public APIs curlurlset when the caller mixes CURLUGUESSSCHEME with a subsequent CURLUNOGUESSSCHEME...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/20 7:40 p.m.7 views

curl: CVE-2026-9547: SSH improper host validation

Hi all, We've found an issue in lib/vssh/libssh.c where the libssh backend maps SSHKNOWNHOSTSOTHER to CURLKHMATCHMISSING instead of CURLKHMATCHMISMATCH. libssh documents SSHKNOWNHOSTSOTHER as "The server gave us a key of a type while we had another type recorded. It is a possible attack."...

5.8AI score0.00187EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/20 7:35 p.m.21 views

curl: Use-after-free in `curl_easy_duphandle()` with HTTP/2 stream-dependency tree

Hi all, We've found an issue in lib/easy.c where curleasyduphandle shallow-copies set.priority, so the original and the duplicate end up holding two independent pointer-typed variables that both reference the same heap-allocated Curldataprionode chain. Freeing the chain from one side leaves the...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/20 7:31 p.m.6 views

curl: CVE-2026-10536: HTTP/2 stream-dependency tree UAF

Use-after-free in curleasyreset with HTTP/2 stream-dependency tree Hi all, We've found an issue in lib/easy.c where curleasyreset bypasses dataprioritycleanup before clearing data-set, leaving the HTTP/2 stream-dependency tree with dangling pointers to the reset handle. The current curleasyreset ...

5.8AI score0.00206EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/20 10:49 a.m.23 views

curl: CVE-2026-9079: stale proxy password leak

Product Product name: curl / libcurl Product link: https://github.com/curl/curl Suggested CWE: CWE-226: Sensitive Information in Resource Not Removed Before Reuse https://cwe.mitre.org/data/definitions/226.html; alternative CWE-200: Exposure of Sensitive Information to an Unauthorized Actor...

5.9AI score0.0025EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/20 1:40 a.m.35 views

curl: curl cross-origin HTTPS redirect reuses TLS client certificate for unintended second-origin mTLS authentication

Summary: When curl follows an HTTPS redirect to a different origin under normal -L / CURLOPTFOLLOWLOCATION behavior, it still presents the configured TLS client certificate to the redirected-to HTTPS server. This happens without --location-trusted / CURLOPTUNRESTRICTEDAUTH, even though curl alrea...

5.4AI score
Exploits0
Hacker One
Hacker One
added 2026/05/19 10:4 p.m.7 views

curl: CVE-2026-9080: UAF after pause in socket callback

Hi all, We've found a heap-use-after-free in lib/multiev.c triggered by calling curleasypause from within a CURLMOPTSOCKETFUNCTION callback. ASAN-confirmed with the self-contained reproducer below. Affected versions: 8.13.0 – 8.20.0 current. The entry-action write line 280 has been vulnerable sin...

5.7AI score0.00206EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/19 11:30 a.m.35 views

curl: curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write

Summary: The curl CLI's --skip-existing option performs a separate existence check before the download body is written. In the verified path, curl first calls stat on the target pathname and decides "the file does not exist, so continue", but it does not keep an fd bound to that decision. The...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/18 11:47 a.m.10 views

curl: CVE-2026-8927: env-set cross-proxy Digest auth state leak

AI-assisted preparation note I used AI assistance to help structure and format this report, but the technical findings, PoC, and verification results are based on local testing against curl/libcurl 8.20.0. Summary I found a possible incomplete-fix variant of CVE-2026-7168 in libcurl 8.20.0. The...

5.3CVSS5.5AI score0.00471EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/18 8:49 a.m.26 views

Revive Adserver: PHP code injection via unexpected delivery limitation parameter

A vulnerability was reported in Revive Adserver 6.0.6 and earlier versions where user input was not properly validated when saving delivery limitations. This allowed a low-privileged user to inject malicious PHP code into the compiledlimitations field, which could then be executed during banner...

8.8CVSS5.9AI score0.0045EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/17 7:12 a.m.17 views

curl: CRLF Injection via Custom HTTP Headers

Summary: libcurl writes user-supplied custom headers directly into the HTTP request buffer without stripping \r\n characters. The raw input pointer origp in Curladdcustomheaders lib/http.c is serialized verbatim into the outgoing request using curlxdynaddfreq, "%s\r\n", origp instead of using the...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/16 9:24 p.m.120 views

curl: Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers

Summary: libcurl's connection pool match logic does not include the CURLOPTHAPROXYPROTOCOL setting or the CURLOPTHAPROXYCLIENTIP value in its connection match key. Two transfers issued through the same Curleasy or via a shared connection cache CURLLOCKDATACONNECT therefore share one TCP connectio...

7.5CVSS7AI score0.00715EPSS
Exploits9
Hacker One
Hacker One
added 2026/05/16 2:59 a.m.24 views

curl: SSL session-cache peer key omits signature_algorithms: strict-sigalg handle silently resumes a permissive sibling's session

CURLOPTSSLSIGNATUREALGORITHMS policy bypass: SSL session cache key omits sigalgs, allowing a strict-sigalg handle to resume a session negotiated under a permissive policy AI disclosure This report was prepared with the assistance of an AI coding assistant Claude. The behavioral diff pre/post patc...

7.5CVSS6.7AI score0.03721EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/15 4:29 p.m.11 views

AWS VDP: Firecracker Out-of-bounds Read/Write Local Privilege Escalation Vulnerability

A vulnerability was discovered in Firecracker versions up to 1.15.1 that could allow a malicious guest to bypass protection mechanisms and perform out-of-bounds read and write operations on the virtio PCI queue. The vulnerability was caused by inconsistencies in the handling of queue activation...

8.7CVSS5.8AI score0.00208EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/15 2:27 a.m.33 views

Node.js: NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset

Summary: A 19-byte malformed SQLite changeset passed to Node.js node:sqlite DatabaseSyncapplyChangeset causes a native NULL pointer dereference and terminates the Node.js process. Description: The built-in Node.js node:sqlite API exposes DatabaseSyncapplyChangesetchangeset, options, which accepts...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 6:30 p.m.25 views

curl: NULL pointer dereference in libcurl URL API redirect_url() with CURLU_DEFAULT_SCHEME

Summary A NULL pointer dereference appears to exist in libcurl's URL API path when curlurlset handles a relative URL together with CURLUDEFAULTSCHEME on a CURLU handle that has host/path information but no stored u-scheme. The issue is in lib/urlapi.c inside redirecturl, where u-scheme is used in...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 12:39 p.m.37 views

curl: TLS peer-verification bypass via mid-transfer ssl_config mutation

Hi all, We want to report a TLS peer-verification issue on current master. The trigger is narrow and requires a specific application usage pattern, but when it fires, a transfer that requests CURLOPTSSLVERIFYPEER=1 can reuse a TLS connection that was established with peer verification disabled...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 12:13 p.m.38 views

curl: cookie: case-insensitive path comparison in replace_existing() allows cookie eviction across distinct paths

Hi all, replaceexisting in lib/cookie.c compares cookie paths case-insensitively at two sites. On case-sensitive servers, /Admin and /admin are distinct resources and are supposed to produce distinct jar entries. Because libcurl conflates them, a Set-Cookie at one path silently evicts the cookie ...

5.8AI score
Exploits0
Rows per page
Query Builder