Astra Linux - уязвимость в curl

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. The documentation states that this option works with wolfSSL, but does not specify that it does...

Astra Linux - уязвимость в firefox, thunderbird

Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user’s system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11,...

Astra Linux - уязвимость в curl

curl 7.1.1 up to and including 7.75.0 is vulnerable to a “Exposure of Private Personal Information to an Unauthorized Actor” by leaking credentials in the HTTP Referer: header. libcurl does not remove user credentials from the URL when automatically filling in the Referer: HTTP request header fie...

Astra Linux - уязвимость в curl

There is a vulnerability in curl v7.88.0 where resource allocation without limits or throttling exists. This vulnerability stems from the “chained” HTTP compression algorithms. This means that a server’s response can be compressed multiple times, possibly using different algorithms. The number of...

Astra Linux - уязвимость в curl

There is a vulnerability in the handling of certificate validation in curl v8.1.0, particularly in how wildcard patterns are matched when listed as “Subject Alternative Name” in TLS server certificates. Curls can be modified to use its own name matching function for TLS, rather than the one...

Astra Linux - уязвимость в curl

There is a path traversal vulnerability in the 8.0.0 SFTP implementation of curl. This vulnerability causes the tilde character to be incorrectly replaced when used as a prefix in the first path element. Additionally, the tilde is intended to be used as the first element to indicate a path relati...

Astra Linux - уязвимость в curl

curl 7.84.0 supports “chained” HTTP compression algorithms, which means that a server response can be compressed multiple times, possibly using different algorithms. The number of allowable “links” in this “decompression chain” is unlimited, allowing a malicious server to insert virtually an...

Astra Linux - уязвимость в curl

Curl versions 7.20.0 through 7.70.0 are vulnerable to improper restrictions on the names of files and other resources, which can lead to overwriting of local files when the -J flag is used...

Astra Linux - уязвимость в curl

In versions 7.7 through 7.76.1 of curl, there is an information disclosure issue when the -t command-line option, referred to as CURLOPTTELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. This issue arises due to a flaw in the option parser for sending NEWENV...

SUSE CVE-2025-5264

Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11,...

curl: curl cross-origin HTTPS redirect reuses TLS client certificate for unintended second-origin mTLS authentication

Summary: When curl follows an HTTPS redirect to a different origin under normal -L / CURLOPTFOLLOWLOCATION behavior, it still presents the configured TLS client certificate to the redirected-to HTTPS server. This happens without --location-trusted / CURLOPTUNRESTRICTEDAUTH, even though curl alrea...

Fedora 43 : php (2026-c4d1ca4f16)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-c4d1ca4f16 advisory. PHP version 8.4.21 07 May 2026 Core: Fixed bug GH-19983 GC assertion failure with fibers, generators and destructors. iliaal Fixed bug GH-21478...

Advisory ROSA-SA-2026-3278

software: curl 8.7.1 OS: ROSA-CHROME unaffected versions = curl-8.7.1-7 affected versions curl-8.7.1-7 CVE-ID: CVE-2026-3784 BDU-ID: None CVE-Crit: MEDIUM CVE-DESC.: A vulnerability in curl involves incorrectly reusing an existing HTTP proxy connection CONNECT when making requests with different...

Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: curl: curl-8.20.0-2.hum1 aarch64, x8664 libcurl-8.20.0-2.hum1 aarch64, x8664 libcurl-devel-8.20.0-2.hum1 aarch64, x8664 libcurl-minimal-8.20.0-2.hum1 aarch64, x8664 curl-8.20.0-2.hum1.src src...

curl: curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write

Summary: The curl CLI's --skip-existing option performs a separate existence check before the download body is written. In the verified path, curl first calls stat on the target pathname and decides "the file does not exist, so continue", but it does not keep an fd bound to that decision. The...

Photon OS 4.0: Curl PHSA-2026-4.0-1020

An update of the curl package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-4.0-1020. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

SUSE SLES15 Security Update : curl (SUSE-SU-2026:1940-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1940-1 advisory. Security issues fixed: - CVE-2026-4873: connection reuse ignores TLS requirement bsc1262631. - CVE-2026-5545: wrong reuse of HTTP...

Security Bulletin: curl vulnerability

Summary Prior versions of Classic Remote Capture may include this curl vulnerability. Vulnerability Details CVEID:CVE-2025-9086 DESCRIPTION: 1. A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to speak with http://target same hostname, but...

Security update for curl

This update for curl fixes the following issues: Security issues fixed: CVE-2026-4873: connection reuse ignores TLS requirement bsc1262631. CVE-2026-5545: wrong reuse of HTTP Negotiate connection bsc1262632. CVE-2026-6253: proxy credentials leak over redirect-to proxy bsc1262635. CVE-2026-6276:...

SUSE-SU-2026:1940-1 Security update for curl

This update for curl fixes the following issues: Security issues fixed: - CVE-2026-4873: connection reuse ignores TLS requirement bsc1262631. - CVE-2026-5545: wrong reuse of HTTP Negotiate connection bsc1262632. - CVE-2026-6253: proxy credentials leak over redirect-to proxy bsc1262635. -...