aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections

Summary The serverhostname TLS SNI check can be bypassed when an existing connection is reused. Impact If an application makes multiple requests to the same domain, but with different per-request serverhostname parameters, then the later calls may succeed by reusing the existing connection when...

GHSA-4M7W-QMGQ-4WJ5 aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections

Summary The serverhostname TLS SNI check can be bypassed when an existing connection is reused. Impact If an application makes multiple requests to the same domain, but with different per-request serverhostname parameters, then the later calls may succeed by reusing the existing connection when...

PT-2026-49589

Summary The server hostname TLS SNI check can be bypassed when an existing connection is reused. Impact If an application makes multiple requests to the same domain, but with different per-request server hostname parameters, then the later calls may succeed by reusing the existing connection when...

EulerOS Virtualization 2.13.1 : curl (EulerOS-SA-2026-2368)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcu...

EulerOS Virtualization 2.13.0 : curl (EulerOS-SA-2026-2397)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcu...

EulerOS 2.0 SP13 : curl (EulerOS-SA-2026-2283)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : libcurl can in some circumstances reuse the wrong connection when asked to dox000D an Negotiate-authenticated HTTP or HTTPS request.x000D x000D...

EulerOS 2.0 SP13 : curl (EulerOS-SA-2026-2326)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : libcurl can in some circumstances reuse the wrong connection when asked to dox000D an Negotiate-authenticated HTTP or HTTPS request.x000D x000D...

EulerOS Virtualization 2.12.0 : curl (EulerOS-SA-2026-2097)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.libcur...

CVE-2026-7666

A flaw was found in Django. An on-path network attacker could exploit a vulnerability in django.core.mail.backends.smtp.EmailBackend where a partially-initialized connection is reused after a failed STARTTLS handshake when failsilently=True. This could allow the attacker to intercept and read ema...

CVE-2026-7666

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when failsilently=True, which allows on-path network attackers to read ema...

OESA-2026-2477 curl security update

cURL is a computer software project providing a library libcurl and command-line tool curl for transferring data using various protocols. Security Fixes: A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If...

CLSA-2026-1779358660 curl: Fix of 2 CVEs

CVE-2026-5773: wrong reuse of SMB connection; disable connection reuse for SMBS so a subsequent transfer cannot wrongfully reuse a pooled connection to a different share - CVE-2026-6276: clear stale custom-Host cookiehost between requests on the same easy handle cookie leak across origins...

CLSA-2026-1779358008 Fix CVE(s): CVE-2026-5773

SECURITY UPDATE: libcurl may reuse the wrong connection for SMBS transfers, leading to access of an unintended SMB share with the same credentials. - debian/patches/CVE-2026-5773.patch: disable connection reuse for SMBS in lib/url.c by returning early from ConnectionExists when the requested...

CLSA-2026-1779357606 curl: Fix of CVE-2026-5773

CVE-2026-5773: disable connection reuse for SMBS to prevent libcurl from reusing a connection to the same server for a different SMB share...

CLSA-2026-1779357393 curl: Fix of CVE-2026-5773

CVE-2026-5773: disable connection reuse for SMBS to prevent libcurl from reusing a connection to the same server for a different SMB share...

CLSA-2026-1779357116 curl: Fix of CVE-2026-5773

CVE-2026-5773: disable connection reuse for SMBS to prevent libcurl from reusing a connection to the same server for a different SMB share...

Astra Linux - уязвимость в curl

A authentication bypass vulnerability exists in libcurl prior to v8.0.0. It reuses an previously established SSH connection, even though one SSH option has been modified, which should prevent such reuse. libcurl maintains a pool of previously used connections and can reuse them for subsequent...

CLSA-2026-1779098432 Fix CVE(s): CVE-2026-5773

SECURITY UPDATE: wrong SMB connection reused due to missing share comparison - debian/patches/CVE-2026-5773.patch: disable connection reuse for SMBS by replacing connkeep with connclose in smbconnect lib/smb.c - CVE-2026-5773...

SUSE-SU-2026:1940-1 Security update for curl

This update for curl fixes the following issues: Security issues fixed: - CVE-2026-4873: connection reuse ignores TLS requirement bsc1262631. - CVE-2026-5545: wrong reuse of HTTP Negotiate connection bsc1262632. - CVE-2026-6253: proxy credentials leak over redirect-to proxy bsc1262635. -...

curl: Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers

Summary: libcurl's connection pool match logic does not include the CURLOPTHAPROXYPROTOCOL setting or the CURLOPTHAPROXYCLIENTIP value in its connection match key. Two transfers issued through the same Curleasy or via a shared connection cache CURLLOCKDATACONNECT therefore share one TCP connectio...