Lucene search
K

169 matches found

OSV
OSV
added 2026/06/24 2:0 p.m.2 views

UBUNTU-CVE-2026-8458

libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different "services". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When...

5.8AI score
Exploits0References4
OSV
OSV
added 2026/06/24 8:0 a.m.9 views

CURL-CVE-2026-9547 SSH improper host validation

When a libcurl-based application performs transfers via SCP:// or SFTP:// and utilizes the CURLOPTSSHKEYFUNCTION callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for th...

5.9AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/06/15 8:37 p.m.13 views

Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse

CurlAsyncHTTPClient leaks per-request credentials on handle reuse Summary CurlAsyncHTTPClient pools and reuses pycurl handles across requests but does not reset them between requests, and several per-request options are applied with no clearing branch. As a result, sensitive state set by one...

5.4AI score
Exploits0References2Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/12 12:0 a.m.11 views

EulerOS Virtualization 2.13.0 : curl (EulerOS-SA-2026-2397)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcu...

6.5CVSS7.8AI score0.00333EPSS
Exploits2References4
Redos
Redos
added 2026/05/29 12:0 a.m.14 views

ROS-20260529-73-0018

The vulnerability of the sscanf function in the libcurl library, a software tool for interacting with servers via CURL, is related to the use of uninitialized resources. Exploiting this vulnerability could allow an attacker to gain unauthorized access to protected information...

3.1CVSS5.8AI score0.04385EPSS
Exploits1
OSV
OSV
added 2026/05/21 2:43 p.m.7 views

CLSA-2026-1779358660 curl: Fix of 2 CVEs

CVE-2026-5773: wrong reuse of SMB connection; disable connection reuse for SMBS so a subsequent transfer cannot wrongfully reuse a pooled connection to a different share - CVE-2026-6276: clear stale custom-Host cookiehost between requests on the same easy handle cookie leak across origins...

7.5CVSS5.8AI score0.00549EPSS
Exploits2References1
OSV
OSV
added 2026/05/14 7:22 p.m.11 views

CLSA-2026-1778786567 curl: Fix of 2 CVEs

CVE-2018-1000120: fix buffer overflow exists in the FTP URL handling - CVE-2018-1000007: fix leak authentication data to third parties in HTTP requests...

9.8CVSS7.5AI score0.12058EPSS
Exploits0References1
Hacker One
Hacker One
added 2026/05/14 6:30 p.m.25 views

curl: NULL pointer dereference in libcurl URL API redirect_url() with CURLU_DEFAULT_SCHEME

Summary A NULL pointer dereference appears to exist in libcurl's URL API path when curlurlset handles a relative URL together with CURLUDEFAULTSCHEME on a CURLU handle that has host/path information but no stored u-scheme. The issue is in lib/urlapi.c inside redirecturl, where u-scheme is used in...

5.6AI score
Exploits0
EUVD
EUVD
added 2026/05/14 3:31 p.m.36 views

EUVD-2026-29930

When asked to both use a .netrc file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances...

5.3CVSS5.8AI score0.00519EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/05/14 12:0 a.m.8 views

Fedora 42 : php (2026-3a58db70ca)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-3a58db70ca advisory. PHP version 8.4.21 07 May 2026 Core: Fixed bug GH-19983 GC assertion failure with fibers, generators and destructors. iliaal Fixed bug GH-21478...

9.8CVSS5.9AI score0.0078EPSS
Exploits1References13
EUVD
EUVD
added 2026/05/13 6:30 p.m.9 views

EUVD-2026-29924

libcurl might in some circumstances reuse the wrong connection for SMBS transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the...

7.5CVSS5.8AI score0.00549EPSS
Exploits1References5
OSV
OSV
added 2026/05/13 1:1 p.m.5 views

ALPINE-CVE-2026-7168

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

5.3CVSS5.5AI score0.00471EPSS
Exploits1References1
NVD
NVD
added 2026/05/13 1:1 p.m.10 views

CVE-2026-5545

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTPS request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid...

6.5CVSS0.00414EPSS
Exploits1References3
NVD
NVD
added 2026/05/13 1:1 p.m.10 views

CVE-2026-5773

libcurl might in some circumstances reuse the wrong connection for SMBS transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the...

7.5CVSS0.00549EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/05/13 8:28 a.m.90 views

CVE-2026-6276 stale custom cookie host causes cookie leak

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second reques...

0.00291EPSS
Exploits1References3
CVE
CVE
added 2026/05/13 8:27 a.m.43 views

CVE-2026-5545

CVE-2026-5545 affects libcurl: a logical error in connection reuse can cause a request to a server usingNegotiate authentication with user1:password1 to be mistakenly sent over a connection still authenticated for user1 when a second operation tries to authenticate as user2:password2 on the same ...

6.5CVSS5.8AI score0.00414EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/05/07 5:37 p.m.7 views

CLSA-2026-1778175425 curl: Fix of 2 CVEs

CVE-2016-8624: invalid URL parsing with '' - CVE-2016-8623: use-after-free via shared cookies...

7.5CVSS6.8AI score0.05915EPSS
Exploits0References1
Hacker One
Hacker One
added 2026/05/07 7:48 a.m.16 views

curl: Shared HSTS cache accessed without lock

This is finding F5 in Andrew's report https://github.com/curl/curl/blob/455bebc2c7/lib/hsts.cL160-L168 https://github.com/curl/curl/blob/455bebc2c7/lib/http.cL3571 https://github.com/curl/curl/blob/455bebc2c7/lib/url.cL1441 https://github.com/curl/curl/blob/455bebc2c7/lib/url.cL265...

5.9CVSS7.5AI score0.01856EPSS
Exploits1
OSV
OSV
added 2026/05/05 9:18 p.m.7 views

CLSA-2026-1777877363 curl: Fix of 2 CVEs

CVE-2019-5436: tftp: use the current blksize for recvfrom - CVE-2016-8615: cookie: replace use of fgets with custom version...

7.8CVSS6.6AI score0.49739EPSS
Exploits1References1
OSV
OSV
added 2026/05/04 1:12 p.m.7 views

JLSEC-2026-430 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file,...

When doing SSH-based transfers using either SCP or SFTP, and setting the knownhosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global knownhosts file...

5.3CVSS6.7AI score0.00457EPSS
Exploits1References6
Rows per page
Query Builder