91 matches found
EUVD-2026-41505
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...
CVE-2026-8924
CVE-2026-8924 affects curl due to a flaw in its cookie parsing logic. A malicious HTTP server can set “super cookies” that bypass the Public Suffix List, allowing an attacker-controlled origin to inject cookies that curl scopes and transmits to unrelated third-party domains. The connected documen...
Curl 7.46.0 < 8.21.0 Trailing Dot Domain Super Cookie
The version of curl installed on the remote host is 7.46.0 prior to 8.21.0. It is, therefore, affected by a cookie injection vulnerability: - A flaw in curl's cookie parsing logic allows a malicious HTTP server to set super cookies that bypass the Public Suffix List check. CVE-2026-8924 Note that...
UBUNTU-CVE-2026-8924
A flaw in curl's cookie parsing logic allows a malicious HTTP server to set "super cookies" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains...
CURL-CVE-2026-8924 trailing dot domain super cookie
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set "super cookies" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...
PT-2026-51747
Name of the Vulnerable Software and Affected Versions curl affected versions not specified Description A flaw in the cookie parsing logic allows a malicious HTTP server to set super cookies that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that...
Astra Linux – Vulnerability in curl
This flaw allows a malicious HTTP server to set “super cookies” using curl, which are then transmitted back to multiple origins beyond what is allowed or possible. This enables a site to set cookies that are then sent to different and unrelated sites and domains. The attack exploits a flaw in...
JLSEC-2026-411 This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back...
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a...
NewStart CGSL MAIN 6.06 (SP) : curl Vulnerability (NS-SA-2026-0032)
The remote NewStart CGSL host, running version MAIN 6.06 SP, has curl packages installed that are affected by a vulnerability: - This flaw allows a malicious HTTP server to set super cookies in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows ...
This flaw allows a malicious HTTP server to set "super cookies" in curl
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a...
curl: Public-suffix cookie injection when libpsl is disabled
Summary: When libcurl is built without libpsl, Domain attribute validation accepts public suffixes like .co.uk, allowing a malicious host to plant cookies that are later sent to unrelated sibling domains using the same cookie jar. AI assistance was used to draft this report. Steps to Reproduce: 1...
Siemens SIMATIC S7-1500 and Ruggedcom ROX Devices Improper Input Validation (CVE-2023-46218)
This flaw allows a malicious HTTP server to set super cookies in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mix...
Siemens SIMATIC S7-1500 Missing Encryption of Sensitive Data (CVE-2022-27779)
libcurl wrongly allows cookies to be set for Top Level Domains TLDs if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's cookie engine can bebuilt with or without Public Suffix Listawareness. If PSL support not provided, a more rudimentary check...
EUVD-2025-15014
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2025-4035
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least...
libsoup: Cookie domain validation bypass via uppercase characters in libsoup
A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set...
SUSE CVE-2025-4035
A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set...
CVE-2025-4035
A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set...
CVE-2025-4035
A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set...
AZL-61670 CVE-2025-4035 affecting package libsoup 3.4.4-12
A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set...