JLSEC-2026-432 libcurl accidentally skips the certificate verification for QUIC connections when connecting to a...

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks...

JLSEC-2026-415 libcurl skips the certificate verification for a QUIC connection under certain conditions, when...

libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems...

MiracleLinux 3 : curl-7.15.5-9.AXS3 (AXSA:2010-170:01)

The remote MiracleLinux 3 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2010-170:01 advisory. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user...

RockyLinux 8 : curl (RLSA-2025:23383)

The remote RockyLinux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2025:23383 advisory. curl: libcurl: Curl out of bounds read for cookie path CVE-2025-9086 Tenable has extracted the preceding description block directly from the RockyLinux security...

EUVD-2017-1518

Malware in sbrugna...

EUVD-2009-2413

Malware in sbrugna...

EUVD-2024-3571

Malicious code in bioql PyPI...

EUVD-2024-47336

Malicious code in bioql PyPI...

CBL Mariner 2.0 Security Update: cmake / mysql (CVE-2025-4947)

The version of cmake / mysql installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-4947 advisory. - libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host...

Linux Distros Unpatched Vulnerability : CVE-2025-5399

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop...

curl: Use-After-Free in OpenSSL Keylog Callback via SSL_get_ex_data() in libcurl

Summary: A Use-After-Free UAF vulnerability exists in libcurl when the OpenSSL SSLCTXsetkeylogcallback is set. The callback may be invoked after the associated SSL object has been freed via SSLfree, leading to access to a dangling pointer and potential crash or information leak via SSLgetexdata...

Curl 8.13.0 < 8.14.1 DoS (CVE-2025-5399)

The version of Curl installed on the remote host is is missing security update. It is, therefore, affected by a denial of service vulnerability. - Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless...

CVE-2025-5399 WebSocket endless loop

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS...

curl: CVE-2025-5399: WebSocket endless loop

The function curlwssend in libcurl contains an infinite loop that can be triggered by a malicious server under specific circumstances. The loop is caused by a condition in the code that is not properly handled, leading to the function failing to terminate. This vulnerability was discovered in the...

Linux Distros Unpatched Vulnerability : CVE-2023-27538

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH...

Linux Distros Unpatched Vulnerability : CVE-2023-27536

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An authentication bypass vulnerability exists libcurl 8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect us...

Tenable Identity Exposure < 3.77.9 Multiple Vulnerabilities (TNS-2025-01)

The version of the Tenable Identity Exposure running on the remote host is prior to 3.77.9. It is, therefore, affected by multiple vulnerabilities according to advisory TNS-2025-01, including the following: - libcurl would wrongly close the same eventfd file descriptor twice when taking down a...

CVE-2025-0665

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve...

AZL-56471 CVE-2025-0725 affecting package mysql for versions less than 8.0.40-4

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPTACCEPTENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow...

CVE-2025-0725 gzip integer overflow

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPTACCEPTENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow...