Lucene search
K

12 matches found

NVD
NVD
added 4 days ago7 views

CVE-2026-54919

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In affected Mbed TLS backend versions from 0.31.0 through 0.46.1 and wolfSSL backend versions from 0.33.0 through 0.46.1, when cpp-httplib is built with CPPHTTPLIBMBEDTLSSUPPORT or CPPHTTPLIBWOLFSSLSUPPORT and a...

7.4CVSS0.00264EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago30 views

CVE-2026-54919 cpp-httplib: TLS certificate chain verification bypassed for IP-literal hosts on Mbed TLS and wolfSSL backends

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In affected Mbed TLS backend versions from 0.31.0 through 0.46.1 and wolfSSL backend versions from 0.33.0 through 0.46.1, when cpp-httplib is built with CPPHTTPLIBMBEDTLSSUPPORT or CPPHTTPLIBWOLFSSLSUPPORT and a...

7.4CVSS0.00264EPSS
Exploits0References3
CVE
CVE
added 4 days ago13 views

CVE-2026-54919

cpp-httplib on Mbed TLS and wolfSSL backends was vulnerable to a TLS certificate chain verification bypass for IP-literal hosts (affecting v0.31.0–0.46.1) when server verification was enabled; SSLClient/Client could skip chain validation and Mbed TLS WebSocketClient could skip verification. The i...

7.4CVSS6.9AI score0.00264EPSS
Exploits0References3Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/07/03 12:0 a.m.9 views

Fedora 44 : cpp-httplib (2026-1b15ac058b)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-1b15ac058b advisory. Update to 0.48.0 rhbz2481109 Security fixes - Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An...

9.9CVSS6.1AI score0.00327EPSS
Exploits4References6
Hacker One
Hacker One
added 2026/06/26 8:40 a.m.21 views

curl: mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0

Summary When an application sets CURLOPTSSLVERIFYPEER=0 while keeping CURLOPTSSLVERIFYHOST=2 the default, the mbedTLS, wolfSSL, and rustls TLS backends silently skip the hostname-vs-certificate check. The OpenSSL, GnuTLS, and Schannel backends correctly preserve hostname checking under the same...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2026/05/13 11:33 p.m.43 views

curl: TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0

The now-well-known CURLOPTSSLVERIFYHOST-bypass-when-CURLOPTSSLVERIFYPEER=0 defect exists in three of curl's TLS backends: rustls EXPERIMENTAL, mbedTLS, and wolfSSL DNS hostnames only. The documented contract at docs/libcurl/opts/CURLOPTSSLVERIFYPEER.md:57-59: The check that the host name in the...

5.8CVSS6.5AI score0.04888EPSS
Exploits0
OSV
OSV
added 2026/05/04 1:12 p.m.10 views

JLSEC-2026-433 libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an...

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

4.8CVSS6.8AI score0.00253EPSS
Exploits2References6
Hacker One
Hacker One
added 2025/12/16 8:31 p.m.19 views

curl: Certificate Pinning Bypass with wolfSSL backend over HTTP/3

Summary: A security feature bypass exists in libcurl when built with the wolfSSL backend and HTTP/3 support. The Certificate Pinning feature --pinnedpubkey is silently ignored if the user also disables peer verification -k or --insecure . This behavior is inconsistent with other backends like...

7AI score
Exploits0
Hacker One
Hacker One
added 2025/12/09 6:59 p.m.29 views

curl: Stack Buffer Overflow in cURL wolfSSL Backend (lib/vtls/wolfssl.c)

Summary: A stack-based buffer overflow exists in the wsslstrerror function of cURL's wolfSSL TLS backend. The function uses an unsafe strcpy call, relying solely on a DEBUGASSERT macro for boundary checking. This macro is disabled in production release builds -DNDEBUG, allowing memory corruption...

7.5AI score
Exploits0
UbuntuCve
UbuntuCve
added 2025/11/05 12:0 a.m.5 views

CVE-2025-10966

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more...

4.3CVSS6.5AI score0.0039EPSS
Exploits1References2
Snyk
Snyk
added 2025/05/28 7:41 a.m.3 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation when wolfSSL is used as the TLS backend for QUIC. An attacker can impersonate a legitimate server or perform a man-in-the-middle attack by exploiting a skipped certificate verification. Note: The skip of...

6.9CVSS6.8AI score0.00248EPSS
Exploits1References2
OSV
OSV
added 2025/05/28 7:15 a.m.8 views

AZL-62038 CVE-2025-5025 affecting package cmake for versions less than 3.30.3-6

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

4.8CVSS6.6AI score0.00253EPSS
Exploits2References1
Rows per page
Query Builder