JLSEC-2026-394

When curl 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the...

JLSEC-2026-400

A vulnerability exists in curl 7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypasse...

Curl 7.14.1 < 8.20.0 Proxy Credential Disclosure

The version of curl installed on the remote host is 7.14.1 prior to 8.20.0. It is, therefore, affected by a proxy credential disclosure vulnerability: - curl might erroneously pass on credentials for a first proxy to a second proxy. This flaw occurs when different proxies are configured for...

Curl 8.17.0 < 8.20.0 OCSP Stapling Bypass

The version of curl installed on the remote host is 8.17.0 prior to 8.20.0. It is, therefore, affected by an OCSP stapling bypass vulnerability: - When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is...

[SECURITY] Fedora 42 Update: curl-8.11.1-8.fc42

curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMA P, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies,...

Curl 7.33.0 < 8.19.0 Token Leak with Redirect and Netrc

The version of curl installed on the remote host is 7.33.0 prior to 8.19.0. It is, therefore, affected by a token leak with redirect and netrc vulnerability: - When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a redirect to a second URL, curl could leak that...

Advisory ROSA-SA-2026-3133

Software: curl 7.61.1 OS: ROSA Virtualization 2.1 unaffected versions = curl-7.61.1-34.0.2.rv3.9 affected versions curl-7.61.1-34.0.2.rv3.9 CVE-ID: CVE-2025-9086 BDU-ID: 2025-12599 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the cURL command line utility is related to reading data beyond buffer...

MiracleLinux 3 : curl-7.15.5-17.AXS3 (AXSA:2013-534:01)

The remote MiracleLinux 3 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2013-534:01 advisory. cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS, DICT, TELNET and TFTP servers, using any of the supported protocols. cURL is designed to...

MiracleLinux 7 : curl-7.29.0-42.el7.1 (AXSA:2017-2424:02)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2017-2424:02 advisory. A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker coul...

Amazon Linux 2 : curl, --advisory ALAS2-2025-3056 (ALAS-2025-3056)

The version of curl installed on the remote host is prior to 8.3.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-3056 advisory. Out of bounds read for cookie path NOTE: https://curl.se/docs/CVE-2025-9086.htmlNOTE: Introduced with:...

EUVD-2021-10011

Malware in sbrugna...

SUSE SLED15 / SLES15 Security Update : curl (SUSE-SU-2025:03267-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03267-1 advisory. Security issues fixed: - CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to...

Security update for curl

This update for curl fixes the following issues: Security issues fixed: CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer bsc1249191. CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server...

Curl 8.11.0 < 8.16.0 Predictable WebSocket Mask (CVE-2025-10148)

The version of Curl installed on the remote host is 8.11.0 prior to 8.16.0. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-10148 advisory. - curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it...

Linux Distros Unpatched Vulnerability : CVE-2022-27776

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host...

Curl 8.8.0 < 8.14.0 Improper Certificate Validation (CVE-2025-4947)

The version of Curl installed on the remote host is is missing security update. It is, therefore, affected by a improper certificate validation vulnerability. - libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the...

Linux Distros Unpatched Vulnerability : CVE-2017-7407

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The ourWriteOut function in toolwriteout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in...

Linux Distros Unpatched Vulnerability : CVE-2016-8624

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '' character, and could instead be...

CVE-2025-0665

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve...

Amazon Linux 2 : curl (ALAS-2025-2724)

The version of curl installed on the remote host is prior to 8.3.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2724 advisory. When curl is asked to use HSTS, the expiry time for a subdomain mightoverwrite a parent domain's cache entry, making it end sooner or...