CVE-2026-53622

CVE-2026-53622 affects Traefik versions 3.6.17–3.7.1. The vulnerability arises in HTTP/3 (QUIC) TLS configuration selection: the code path GetTLSGetClientInfo() performs an exact, case-sensitive lookup on info.ServerName, failing to match wildcard patterns or mixed-case hostnames. As a result, du...

CVE-2026-48491 Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass

Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection SNICheck that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard...

CVE-2026-9697

A flaw was found in undici. When undici's ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier URI, it silently ignores Transport Layer Security TLS options, such as custom Certificate Authorities CAs. This allows a remote attacker to perform a Man-in-the-Middle MITM attack,...

Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts

Summary There is a critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact,...

PT-2026-50163

Name of the Vulnerable Software and Affected Versions Traefik versions 3.6.17 through 3.7.1 Description An issue in the HTTP/3 QUIC TLS configuration selection allows unauthenticated clients to bypass router-specific mutual TLS mTLS enforcement. When HTTP/3 is enabled, the TLS handshake uses an...

Nessus Network Monitor < 6.5.4 Multiple Vulnerabilities (TNS-2026-14)

According to its self-reported version, the Nessus Network Monitor running on the remote host is prior to 6.5.4. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2026-14 advisory. - An integer overflow can be triggered in SQLite's concatws function. The resulting,...

Astra Linux - уязвимость в curl

When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally...

K000160935: Curl vulnerability CVE-2025-14017

Security Advisory Description When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific...

EulerOS 2.0 SP12 : curl (EulerOS-SA-2026-1355)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally an...

EulerOS Virtualization 2.10.0 : curl (EulerOS-SA-2026-1552)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a cross-protocol redirect to a second URL that...

EulerOS Virtualization 2.12.0 : curl (EulerOS-SA-2026-1478)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl,changing TLS options in one thread would inadvertently change th...

USN-8062-2 curl vulnerabilities

USN-8062-1 fixed vulnerabilities in curl. This update provides the corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224 for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that curl incorrectly handled...

CVE-2025-70043

CVE-2025-70043 affects Ayms node-To master. Root cause: TLS certificate validation is disabled via rejectUnauthorized: false in TLS socket options (CWE-295). This improper certificate validation could enable man-in-the-middle attacks. Documents consistently describe the condition but do not provi...

Medium: curl

Issue Overview: curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more. CVE-2025-10966 broken TLS options for threaded LDAPS NOTE:...

SUSE-SU-2026:0508-1 Security update for curl

This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS bsc1256105. - CVE-2025-14524: bearer token leak on cross-protocol redirect bsc1255731. - CVE-2025-14819: libssh global knownhost override bsc1255732. - CVE-2025-15079: libssh key...

Fedora: Security Advisory (FEDORA-2026-3f0f0f85be)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora 42 : curl (2026-3f0f0f85be)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3f0f0f85be advisory. - fix broken TLS options for threaded LDAPS CVE-2025-14017 Tenable has extracted the preceding description block directly from the Fedora security advisory...

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: curl (UTSA-2026-004936)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004936 advisory. When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: curl (UTSA-2026-004928)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004928 advisory. When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore...

SUSE-SU-2026:0221-1 Security update for curl

This update for curl fixes the following issues: - CVE-2025-14017: Fixed broken TLS options for threaded LDAPS bsc1256105...