curl: CVE-2026-6276: stale custom cookie host causes cookie leak

Summary: libcurl keeps a stale data-state.aptr.cookiehost after a request that uses a custom Host: header. On later requests on the same easy handle, when no custom Host: is used, libcurl still reuses that stale value for outgoing cookie selection lib/http.c:2560-2563 and incoming Set-Cookie...

curl: Cross‑origin cookies leak and injection risk when using a custom Host header

Summary When a custom hostname is specified, it is used for cookie matching if the cookie engine is also enabled for this transfer. This matching persists in cross-origin redirects despite that the originally supplied hostname is removed. cookiehost is set from a custom Host header: lib/http.c...

Mozilla Thunderbird < 115.8

The version of Thunderbird installed on the remote Windows host is prior to 115.8. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2024-07 advisory. - Incorrect code generation could have led to unexpected numeric conversions and potential undefined behavior.Note:...