curl: CVE-2026-3783: token leak with redirect and netrc

Summary When --oauth2-bearer is used with --netrc and curl follows a redirect, the bearer token leaks to the redirect target. The netrc bypass at http.c:822 skips Curlauthallowedtohost, allowing the token through. This is an incomplete fix for CVE-2025-14524 — the Dec 2025 SASL fix patched...

USN-8062-2: curl vulnerabilities

USN-8062-1 fixed vulnerabilities in curl. This update provides the corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224 for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that curl incorrectly handled...

USN-8062-2 curl vulnerabilities

USN-8062-1 fixed vulnerabilities in curl. This update provides the corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224 for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that curl incorrectly handled...

Out of bounds read for cookie path

A cookie is set using the secure keyword for https://target curl is redirected to or otherwise made to speak with http://target same hostname, but using clear text HTTP using the same cookie set. The same cookie name is set - but with just a slash as path path="/". Since this site is not secure,...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : curl vulnerabilities (USN-8062-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8062-1 advisory. It was discovered that curl incorrectly handled cookies when redirected from secure to insecure connections. An attacker could possib...

MajorDoMo Supply Chain RCE via Update Poisoning

This module exploits an unauthenticated remote code execution vulnerability in MajorDoMo's saverestore module via supply chain poisoning. The saverestore module's admin method is reachable without authentication through the /objects/?module=saverestore endpoint because usual calls admin directly...

curl: Use after free in hyperfifo example

Summary: THIS ONLY IS AN ISSUE IN EXAMPLE CODE, NOT CURL ITSELF! In the hyperfifo example the event base is freed before the curlmulticleanup is called. This leads to a use after free in the addsocket callback, when libevent tries to lock a mutex in the base event during the curl shutdown. Link t...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability Details CVEID:CVE-2024-56433...

curl: Curl Telnet Handler Buffer Overflow

Summary: I found a buffer overflow in curl's telnet protocol handler that allows remote memory corruption without authentication. The bug is in the CURLSBACCUM macro in lib/telnet.c line 69, where the bounds check lets you write one byte past the end of a 512-byte buffer. When curl receives 512+...

curl: RTSP RTP Interleaved Parser Assertion Failure (Zero-Length RTP Payload)

Summary: I am submitting this as a security issue primarily due to how it was discovered and that it's my first Curl submission, but I suspect I might be overly cautious here. This issue was discovered as part of the AIXCC competition, and I am assisting on reporting true positive findings to...

curl: Integer Overflow in curl_multi_get_handles() Leading to Heap Buffer Overflow

Integer Overflow in curlmultigethandles Leading to Heap Buffer Overflow Summary The curlmultigethandles function in lib/multi.c contains an integer overflow vulnerability when the number of easy handles in a multi handle approaches UINTMAX 4,294,967,295. When count == UINTMAX, the expression coun...

curl: Able to bypass HSTS using trailing dot

Summary: curl allows users to load a HSTS cache which will cause curl to use HTTPS instead of HTTP given a HTTP URL for a given site specified in the HSTS cache. Affected version curl version used for reproducing this issue is: 8.16.0 curl --version curl 8.16.0 Windows libcurl/8.16.0 Schannel...

Ubuntu: Security Advisory (USN-8062-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-8062-1 curl vulnerabilities

It was discovered that curl incorrectly handled cookies when redirected from secure to insecure connections. An attacker could possibly use this issue to cause a denial of service, or obtain sensitive information. This issue only affected Ubuntu 25.10. CVE-2025-9086 Calvin Ruocco discovered that...

USN-8062-1: curl vulnerabilities

It was discovered that curl incorrectly handled cookies when redirected from secure to insecure connections. An attacker could possibly use this issue to cause a denial of service, or obtain sensitive information. This issue only affected Ubuntu 25.10. CVE-2025-9086 Calvin Ruocco discovered that...

Server-Side Request Forgery (SSRF)

Cowrie is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the wget and curl emulation making real outbound HTTP requests without rate limiting, which allows an attacker to repeatedly trigger requests and abuse the honeypot to generate denial-of-service traffic toward...

CLSA-2026-1771664389 curl: Fix of 2 CVEs

CVE-2025-14524: fix OAuth2 bearer token leak on cross-protocol redirect - CVE-2025-15224: fix libssh public-key auth fallback to SSH agent...

Tenable Security Center Multiple Vulnerabilities (TNS-2026-06)

According to its self-reported version, the Tenable Security Center running on the remote host prior or equal to 6.7.2 and missing relevant patches. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2026-06 advisory. - In PHP versions:8.1. before 8.1.34, 8.2. before...

CLSA-2026-1771501913 curl: Fix of CVE-2025-15079

CVE-2025-15079: fix accepting hosts not present in the specified knownhosts during SSH-based SCP/SFTP transfers when global knownhosts contained them restrict host verification to the specified knownhosts file...

CLSA-2026-1771501223 curl: Fix of CVE-2025-15079

CVE-2025-15079: fix accepting hosts not present in the specified knownhosts during SSH-based SCP/SFTP transfers when global knownhosts contained them restrict host verification to the specified knownhosts file...