Lucene search
+L

200 matches found

SUSE CVE
SUSE CVE
added 2026/07/10 3:20 a.m.5 views

SUSE CVE-2026-9545

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL...

5.9CVSS6AI score0.00408EPSS
Exploits1References8
Tenable Nessus
Tenable Nessus
added 2026/07/10 12:0 a.m.7 views

libcurl 7.46.0 < 8.21.0 Super Cookie PSL Bypass (CVE-2026-8924)

The version of libcurl installed on the remote host is 7.46.0 prior to 8.21.0. It is, therefore, affected by a cookie injection vulnerability: - A flaw in curl's cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an...

9.1CVSS6.1AI score0.00649EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/07/08 7:27 p.m.5 views

CVE-2026-10536

A flaw was found in libcurl. This use-after-free vulnerability occurs when an application configures an HTTP/2 stream-dependency tree and then performs a sequence of operations involving curleasyreset and curleasycleanup. During the final cleanup, libcurl attempts to access memory that has alread...

9.8CVSS5.8AI score0.00891EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/07/06 7:51 p.m.6 views

CVE-2026-9545

A flaw was found in libcurl. An attacker can exploit this by replacing a legitimate HTTP/3 server with an impostor machine. When libcurl attempts a second transfer to the same site with a cached SSL session and early data enabled, it may send sensitive request data before verifying the server's...

7.5CVSS5.6AI score0.00408EPSS
Exploits1References6
Snyk
Snyk
added 2026/07/03 8:18 a.m.8 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the process that handles .netrc credential retrieval when a URL is specified with a username but without a password. An attacker can gain unauthorized access to sensitive information by exploiting...

9.1CVSS6AI score0.0061EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.11 views

Double Free

Overview Affected versions of this package are vulnerable to Double Free in the GSASL context cleanup process. An attacker can cause arbitrary code execution or a denial of service by triggering the double-free condition. Remediation Upgrade libcurl to version 8.21.0 or higher. References - Curl...

9.8CVSS6.6AI score0.0108EPSS
Exploits1References2
AlpineLinux
AlpineLinux
added 2026/07/03 6:18 a.m.8 views

CVE-2026-9547

When a libcurl-based application performs transfers via SCP:// or SFTP:// and utilizes the CURLOPTSSHKEYFUNCTION callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for th...

7.4CVSS6AI score0.00508EPSS
Exploits1References3
OSV
OSV
added 2026/07/03 6:18 a.m.4 views

CVE-2026-9546 sending old referer

A vulnerability in libcurl caused the HTTP Referer: header to persist even when explicitly cleared. While the documentation states that passing NULL to CURLOPTREFERER suppresses the header, the option failed to clear the internal state. As a result the previous referrer string was erroneously...

7.5CVSS6.1AI score0.00652EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2026/07/02 3:43 p.m.3 views

curl: libcurl: curl/libcurl: Remote denial of service via QUIC UDP receive function vulnerability

A flaw was found in curl and libcurl. A malicious HTTP/3 server can exploit an issue in the QUIC UDP receive function by continuously streaming empty UDP datagrams. This can lead to a remote denial of service DoS against a curl or libcurl client, as the helper function discards zero-length UDP...

7.5CVSS6.1AI score0.0101EPSS
Exploits1References7
Tenable Nessus
Tenable Nessus
added 2026/06/26 12:0 a.m.14 views

libcurl 8.13.0 < 8.21.0 Use-After-Free in Socket Callback

The version of libcurl installed on the remote host is 8.13.0 prior to 8.21.0. It is, therefore, affected by a use-after-free vulnerability: - Calling curleasypause within the event-based CURLMOPTSOCKETFUNCTION callback triggers a use-after-free vulnerability. CVE-2026-9080 Note that Nessus has n...

7.3CVSS6AI score0.00494EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2026/06/26 12:0 a.m.11 views

libcurl 7.12.0 < 8.21.0 Cross-Proxy Digest Auth State Leak

The version of libcurl installed on the remote host is 7.12.0 prior to 8.21.0. It is, therefore, affected by a proxy credential disclosure vulnerability: - When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy...

9.1CVSS6AI score0.00752EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.7 views

Astra Linux – Vulnerability in curl

When performing SSH-based transfers using either SCP or SFTP, and setting the knownhosts file, libcurl may still mistakenly accept connections to hosts that are not present in the specified file, if those hosts are added as recognized in the libssh global knownhosts file...

5.3CVSS6.7AI score0.00457EPSS
Exploits1References3
OSV
OSV
added 2026/06/24 8:0 a.m.8 views

CURL-CVE-2026-9080 UAF after pause in socket callback

Calling curleasypause within the event-based CURLMOPTSOCKETFUNCTION callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed...

7.3CVSS5.7AI score0.00494EPSS
Exploits1
curl security advisories
curl security advisories
added 2026/06/24 8:0 a.m.7 views

sending old referer

A vulnerability in libcurl caused the HTTP Referer: header to persist even when explicitly cleared. While the documentation states that passing NULL to CURLOPTREFERER suppresses the header, the option failed to clear the internal state. As a result, the previous referrer string was erroneously...

7.5CVSS5.9AI score0.00652EPSS
Exploits1References1Affected Software2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability in curl

A authentication bypass vulnerability exists in libcurl prior to v8.0.0. It reuses an previously established SSH connection, even though one SSH option has been modified, which should prevent such reuse. libcurl maintains a pool of previously used connections and can reuse them for subsequent...

7.7CVSS6.5AI score0.01162EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in curl

There is an authentication bypass vulnerability in libcurl version 8.0.0, particularly in the FTP connection reuse feature. This vulnerability can cause incorrect credentials to be used during subsequent transfers. Previously created connections are retained in a connection pool for reuse if they...

5.9CVSS6.6AI score0.01607EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.3 views

Astra Linux – Vulnerability in curl

libcurl will reuse a previously established connection even when options related to TLS or SSH have been changed, which should prevent such reuses. libcurl stores previously used connections in a connection pool, allowing for reuse if one of them matches the current setup. However, several TLS an...

7.5CVSS6.6AI score0.02596EPSS
Exploits1References2
AlpineLinux
AlpineLinux
added 2026/05/13 8:29 a.m.51 views

CVE-2026-7168

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

5.3CVSS5.8AI score0.00471EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/05/11 12:0 a.m.14 views

Unity Linux 20.1060e / 20.1070e Security Update: curl (UTSA-2026-017594)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017594 advisory. libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPTSSLCERT option --cert with the command li...

7.5CVSS6.5AI score0.0982EPSS
Exploits1References4
OSV
OSV
added 2026/01/30 10:9 p.m.8 views

RLSA-2026:1350 Moderate: curl security update

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fixes: curl: libcurl: Curl out of bounds read for cookie path CVE-2025-9086 For more details about the security issues, including...

5.3CVSS5.9AI score0.01301EPSS
Exploits1References2
Rows per page
Query Builder