CVE-2026-6253

A flaw was found in curl. When curl is configured to use distinct proxies for different URL schemes, a redirect from a URL using an authenticated proxy to one using an unauthenticated proxy can inadvertently expose the initial proxy's credentials. This improper credential management CWE-522 may...

CVE-2026-4873

A flaw was found in curl. A remote attacker could exploit this by initiating an unencrypted connection via IMAP, SMTP, or POP3 and then making a subsequent request to the same host that requires Transport Layer Security TLS. Due to incorrect connection reuse, the subsequent request would bypass t...

Important Photon OS Security Update - PHSA-2026-5.0-0838

Updates of 'curl' packages of Photon OS have been released...

CLSA-2026-1777463593 curl: Fix of CVE-2023-27533

CVE-2023-27533: telnet: only accept option arguments in ascii...

CLSA-2026-1777463367 curl: Fix of CVE-2023-27533

CVE-2023-27533: telnet: only accept option arguments in ascii...

CVE-2026-6253

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

CVE-2026-5773

libcurl might in some circumstances reuse the wrong connection for SMBS transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the...

UBUNTU-CVE-2026-6253

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

MAL-2026-3159 Malicious code in apple-internal-pki-trust-v5 (npm)

Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...

CURL-CVE-2026-6253 proxy credentials leak over redirect-to proxy

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

Malicious code in apple-cloud-infrastructure-monitor (npm)

Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...

proxy credentials leak over redirect-to proxy

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

wrong reuse of HTTP Negotiate connection

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTPS request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid...

Malicious code in apple-coredata-internal-service (npm)

Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...

OCSP stapling bypass with Apple SecTrust

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine...

CURL-CVE-2026-5545 wrong reuse of HTTP Negotiate connection

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTPS request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid...

curl: MQTT state machine confusion: PINGRESP/DISCONNECT with non-zero remaining_length dispatches to stale nextstate

Summary: In lib/mqtt.c, the state machine in mqttdoing lines 894-911 in curl 8.20.0 does not validate that PINGRESP 0xD0 and DISCONNECT 0xE0 packets have remaininglength == 0 as required by MQTT 3.1.1 spec sections 3.13.1 and 3.14.1. A malicious broker can send a PINGRESP fixed header with non-ze...

PT-2026-35897

Name of the Vulnerable Software and Affected Versions curl affected versions not specified Description When using the Certificate Status Request TLS extension, commonly known as OCSP stapling, to verify server certificate validity, the software fails to detect OCSP problems and incorrectly treats...

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error via the reuse of an easy handle in HTTP requests when a custom Host: header is set for the initial request and omitted in a subsequent one. An attacker can obtain cookies intended for a different host by exploiti...

PT-2026-35894

Name of the Vulnerable Software and Affected Versions curl affected versions not specified Description curl may erroneously pass credentials intended for a first proxy to a second proxy. This occurs when curl is configured to use different proxies for different URL schemes, the first proxy requir...