CVE-2026-3783 affecting package curl for versions less than 8.11.1-6

CVE-2026-3783 affecting package curl for versions less than 8.11.1-6. A patched version of the package is available...

CVE-2026-1965 affecting package curl for versions less than 8.11.1-6

CVE-2026-1965 affecting package curl for versions less than 8.11.1-6. A patched version of the package is available...

Security Bulletin: Vulnerability impacts AIX due to cURL libcurl (CVE-2025-14524)

Summary Vulnerability in cURL libcurl might wrongly pass on an OAuth2 bearer token CVE-2025-14524. AIX uses cURL libcurl as part of rsyslog, LV/PV encryption integration with HPCS and in Live Update for interacting with HMC. Vulnerability Details CVEID:CVE-2025-14524 DESCRIPTION: When an OAuth2...

Vulnerability impacts AIX due to cURL libcurl (CVE-2025-14524)

IBM SECURITY ADVISORY First Issued: Wed Apr 15 15:24:39 CDT 2026 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/curladvisory9.asc Security Bulletin: Vulnerability impacts AIX due to cURL libcurl CVE-2025-14524...

WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection

Summary The incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Affected Package - Ecosystem: Other - Package: AVideo - Affected versions: = commit...

curl: CVE-2026-6276: stale custom cookie host causes cookie leak

Summary: libcurl keeps a stale data-state.aptr.cookiehost after a request that uses a custom Host: header. On later requests on the same easy handle, when no custom Host: is used, libcurl still reuses that stale value for outgoing cookie selection lib/http.c:2560-2563 and incoming Set-Cookie...

curl: CVE-2026-6253: proxy credentials leak over redirect-to proxy

Summary: When libcurl follows a redirect and the new URL causes proxy re-selection, proxy credentials learned from the originally selected proxy URL can remain in per-transfer state and be reused for the next proxy. In the validated case, a redirect from http:// to https:// switches selection fro...

curl: Argument Injection via curl Short-Flag Grouping

This report details how the curl -os command facilitates an Argument Injection vulnerability in applications that wrap the curl command-line tool. The specific command curl -os /etc/passwd --url http://example.com demonstrates a subtle but dangerous behavior. Because -s silent follows -o output,...

Exploit for Use After Free in Haxx Curl

CVE-2026-3805: Use-After-Free in curl SMB Connection Reuse I...

curl: Integer Overflow/Signedness Mismatch in Printf Precision for HTTP/2 Trailer Headers

BUG IN https://raw.githubusercontent.com/curl/curl/07a9b89fedaec60bdbc254f23f66149b31d2f8da/lib/http2.c c ifstream-bodystarted / This is a trailer / H2BUGFinfofdatas, "h2 trailer: %.s: %.s", namelen, name, valuelen, value; result = Curldynaddf&stream-trailerrecvbuf, "%.s: %.s\r\n", namelen, name,...

ClickFix finds a new way to infect Macs

ClickFix campaigns are looking for alternatives now that many Mac users have been made aware of the dangers of pasting certain commands into Terminal. Researchers found that ClickFix has kept the same social engineering playbook but completely sidestepped Terminal by using the applescript:// URL...

Malicious code in @genoma-ui/components (npm)

Malicious package detected. It uses pre/post install scripts to download/execute code and exfiltrate user data via curl from a hardcoded IP. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a5fb9acd5bf2a73c82be9ac19b7c0cad285cfea2a4b6ff69655f61e7e4a0c26c The...

ROS-20260410-73-0016

Vulnerability in curl related to authentication bypass due to an initial bug. Exploitation of the vulnerability could allow an attacker acting remotely to escalate their privileges...

ROS-20260410-73-0015

Vulnerability in curl related to authentication bypass due to an initial bug. Exploitation of the vulnerability could allow an attacker acting remotely to escalate their privileges...

ROS-20260410-73-0013

Vulnerability in curl related to access control flaws. Exploitation of the vulnerability could allow an attacker to escalate privileges...

CVE-2026-33752

curlcffi is the a Python binding for curl. Prior to 0.15.0, curlcffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata...

Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: curl: curl-8.19.0-3.hum1 aarch64, x8664 libcurl-8.19.0-3.hum1 aarch64, x8664 libcurl-devel-8.19.0-3.hum1 aarch64, x8664 libcurl-minimal-8.19.0-3.hum1 aarch64, x8664 curl-8.19.0-3.hum1.src source...

CVE-2026-33752 Redirect-based SSRF leading to internal network access in curl_cffi (with TLS impersonation bypass)

curlcffi is the a Python binding for curl. Prior to 0.15.0, curlcffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata...

CVE-2026-33752

CVE-2026-33752 affects the Python binding curl_cffi for libcurl. Before version 0.15.0, curl_cffi does not restrict outbound requests to internal IP ranges and follows redirects automatically via libcurl. This enables an attacker-controlled URL to redirect to internal services (e.g., cloud metada...

curl_cffi 代码问题漏洞

curlcffi is a Python HTTP client library developed by Lexiforest personal developers, which supports browser fingerprint simulation. Versions of curlcffi prior to 0.15.0 have code vulnerabilities. These vulnerabilities stem from the lack of restrictions on requests directed to internal IP ranges,...