curl: CVE-2026-7168: cross-proxy Digest auth state leak

Summary: On libcurl 8.19.0, Proxy Digest state learned from proxyA survives an independent transfer boundary on a reused easy handle and is emitted preemptively to proxyB when the proxy is changed. In the attached C PoC, the first CONNECT to proxyB carries Proxy-Authorization: Digest ... built fr...

Shopify: Missing HMAC validation on /uninstall webhook in Shopify/sample-django-app reference template

Repository: https://github.com/Shopify/sample-django-app Description The /uninstall webhook endpoint in sample-django-app processes incoming requests without verifying the X-Shopify-Hmac-Sha256 header. Shopify explicitly requires this validation as a mandatory security measure for all webhook...

curl: CVE-2026-7009: OCSP stapling bypass with Apple SecTrust

Summary When curl is built with --with-apple-sectrust or -DUSEAPPLESECTRUST=ON and OpenSSL, the --cert-status / CURLOPTSSLVERIFYSTATUS option is silently bypassed when Apple SecTrust handles certificate chain verification instead of OpenSSL. The user explicitly requests OCSP stapling enforcement,...

Brave Software: iOS Brave Playlist "Open in Private Tab" bypasses FaceID requirement for Private Tabs

A vulnerability was discovered in the Brave browser for iOS where adding or opening a song in the Brave playlist and holding for the "Open in new Private Tab" option bypassed the Face ID or passcode requirement for accessing Private Tabs. This affected Brave iOS version 1.88 and iOS version 26.4....

curl: Heap-buffer-overflow in `Curl_ssl_push_certinfo_len()` — sole bounds check is `DEBUGASSERT`

Summary Curlsslpushcertinfolen in lib/vtls/vtls.c uses DEBUGASSERTcertnum numofcerts as its only bounds check before writing a heap pointer into ci-certinfocertnum. DEBUGASSERT is a no-op in every release/production build lib/curlsetup.h:1084. Any mismatch between the count passed to...

curl: Stack exhaustion in MIME multipart reading with deeply nested subparts

Summary: The MIME read path uses mutually recursive helpers for nested multipart structures without enforcing a recursion depth limit. A sufficiently deep tree of nested curlmimesubparts objects causes stack exhaustion when libcurl starts reading the MIME body. The attached PoC builds a deeply...

curl: Use-after-free in `curl_easy_ssls_export()` during callback re-entrancy

Summary: curleasysslsexport iterates the SSL session list and invokes a caller-provided callback for each entry. If that callback calls curleasysslsimport on the same easy handle, the import path can evict and free the current session node while the export loop still holds it. The subsequent...

curl: libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms

Summary: libcurl omits the IPv6 zoneid component from multiple security-sensitive host identity decisions even though the connection layer still routes by zoneid. As a result, two distinct scoped/link-local destinations such as fe80::X%zoneA and fe80::X%zoneB are treated as the same host by...

curl: libcurl reuses a learned RTSP Session header across different hosts on the same easy handle, enabling cross-host session leak and replay

Summary: libcurl automatically learns RTSP Session: headers from server responses and stores them in data-set.strSTRINGRTSPSESSIONID in lib/rtsp.c:1015-1033. On later RTSP requests using the same easy handle, rtspdo reads that easy-handle-scoped value at lib/rtsp.c:373 and unconditionally emits...

Revive Adserver: Stored XSS via malicious usernames in audit log details + Username validation bypass in XML‑RPC addUser

Vulnerability description not provided...

curl: Digest Auth State Leak on Cross-Origin Redirect via Netrc - Username and Password Hash Sent to Wrong Host

Summary When curl follows an HTTP redirect from hostA to hostB using --netrc --digest -L, Digest authentication state nonce, realm from hostA persists and is combined with hostB's netrc credentials to generate an unsolicited Digest Authorization header sent to hostB. This leaks hostB's username i...

Shopify: mruby-engine: UAF in MRubyEngine#initialize enables local RCE

Summary Double-init of MRubyEngine frees engine + unmaps mspace, but leaves Ruby DATAPTR dangling. Kernel reuses freed VA via mmapMAPFIXED. Attacker forges memrubyengine struct + mrbstate in reclaimed region, points mrbstate-allocf at libc.system, arranges bytes of mrbstate to also spell a shell...

Revive Adserver: Banner status override by advertiser‑level users

A vulnerability was reported in Revive Adserver 6.0.6 and earlier, which allowed an advertiser-level user to activate or deactivate a banner without proper permissions. The issue was caused by the banner-edit.php script, which allowed the banner status to be overwritten solely based on banner edi...

curl: CVE-2026-6429: netrc credential leak with reused proxy connection

Summary: libcurl can leak .netrc-derived host Authorization credentials across redirected hosts when an HTTP proxy connection is reused. In the PoC, .netrc contains credentials only for a.test, but after a.test redirects to b.test and then c.test over the same keep-alive proxy connection, libcurl...

Revive Adserver: Missing access control when modifying parent entities via XML‑RPC

Vulnerability description not provided...

CoinMate.io: POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

A vulnerability was discovered in the CoinMate API where the POST /api/bitcoinWithdrawalFees endpoint was accessible without authentication, despite being documented as a private endpoint. The endpoint returned real-time Bitcoin withdrawal fee data without requiring any authentication, unlike oth...

curl: lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a)

Summary: settransferurl in lib/http2.c validates the :scheme pseudo-header of PUSHPROMISE frames only when !viasslconn — a guard added by commit 2e8c922a to block non-TLS connections from accepting TLS-scheme pushes. The symmetric case was not addressed: over TLS, viasslconn is TRUE, the guard at...

curl: libcurl stale CURLOPT_AUTOREFERER leaks a previous request URL to a different origin on a reused easy handle

Summary: libcurl keeps a stale data-state.referer after an HTTP redirect when CURLOPTAUTOREFERER is enabled. Curlhttpfollow stores the previous URL into data-state.referer at lib/http.c:1166-1189, and later requests reuse that value when building Referer: at lib/http.c:2954-2957. In my local...

Revive Adserver: Session ID reuse allowing XML‑RPC API authentication bypass

Vulnerability description not provided...

curl: CVE-2026-6276: stale custom cookie host causes cookie leak

Summary: libcurl keeps a stale data-state.aptr.cookiehost after a request that uses a custom Host: header. On later requests on the same easy handle, when no custom Host: is used, libcurl still reuses that stale value for outgoing cookie selection lib/http.c:2560-2563 and incoming Set-Cookie...

CoinMate.io: HMAC signature verification omits endpoint and payload allowing request forgery on CoinMate API

A vulnerability was discovered in the HMAC signature verification process of the CoinMate API. The signature was calculated using only the nonce, client ID, and public key, omitting the HTTP endpoint and request payload. This allowed an attacker to hijack a valid signature intended for a read-onl...

curl: CVE-2026-6253: proxy credentials leak over redirect-to proxy

Summary: When libcurl follows a redirect and the new URL causes proxy re-selection, proxy credentials learned from the originally selected proxy URL can remain in per-transfer state and be reused for the next proxy. In the validated case, a redirect from http:// to https:// switches selection fro...

Revive Adserver: Stored XSS via Full Name field in userlog email entries

Vulnerability description not provided...

curl: Argument Injection via curl Short-Flag Grouping

This report details how the curl -os command facilitates an Argument Injection vulnerability in applications that wrap the curl command-line tool. The specific command curl -os /etc/passwd --url http://example.com demonstrates a subtle but dangerous behavior. Because -s silent follows -o output,...

curl: Negotiate Authentication Premature on Connection Reuse

Summary: Curl 8.19.0+ inappropriately sends Negotiate authentication headers on reused keep-alive connections where authentication was already completed. Commit ab650379a8 June 2025 moved negotiate auth context to on-demand metadata storage, but during connection reuse the metadata gets cleared...

curl: Integer Overflow/Signedness Mismatch in Printf Precision for HTTP/2 Trailer Headers

BUG IN https://raw.githubusercontent.com/curl/curl/07a9b89fedaec60bdbc254f23f66149b31d2f8da/lib/http2.c c ifstream-bodystarted / This is a trailer / H2BUGFinfofdatas, "h2 trailer: %.s: %.s", namelen, name, valuelen, value; result = Curldynaddf&stream-trailerrecvbuf, "%.s: %.s\r\n", namelen, name,...

Brave Software: Brave Shields Domain Reordering Leads to Origin Confusion

The Brave Shields feature was observed to reorder domain names, leading to potential origin confusion. Specifically, the domain "1.attacker.com" was displayed as "attacker.com.1", and "1.1.1.1.attacker.com" was displayed as "attacker.com.1.1.1.1". This behavior could potentially mislead users abo...

curl: libcurl: Integer truncation in curl_easy_ssls_import() causes TLS sessions to never expire

Summary: curleasysslsimport deserializes a TLS session blob and stores it in the in-memory session cache. In Curlsslsessionunpack lib/vtls/vtlsspack.c:311, the validuntil field is read as uint64t and cast directly to curlofft int64t with no bounds check — so a crafted blob encoding validuntil =...

Revive Adserver: PHP code injection via delivery limitation logical

Vulnerability description not provided...

Revive Adserver: Reflected XSS via clientid parameter in zone‑include.php

Vulnerability description not provided...

Revive Adserver: Blind SQL injection via clientid parameter in zone‑include.php

Vulnerability description not provided...

curl: SMTP Command Injection via CRLF in libcurl MAIL_FROM / MAIL_RCPT (lib/smtp.c)

Summary libcurl’s SMTP implementation fails to properly sanitize CRLF sequences in user-controlled inputs passed via CURLOPTMAILFROM and CURLOPTMAILRCPT. The function smtpparseaddress lib/smtp.c:277 extracts any data following the closing character as a raw suffix and incorporates it directly int...

curl: CVE-2026-5773: wrong reuse of SMB connection

A vulnerability was discovered in curl version 8.19.0 and earlier versions that support SMB. The vulnerability was due to the incorrect reuse of SMB connections across different shares on the same server. This led to data spoofing and access control bypass. The issue was caused by the lack of...

Revive Adserver: Missing access control when linking trackers to campaigns

A missing access control check was reported when linking trackers to campaigns through the "campaign-trackers.php" script of Revive Adserver 6.0.6 and earlier. A low-privileged user could link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent...

Revive Adserver: Missing access control when linking banners or campaigns to zones

A missing access control check was identified when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API. This could have allowed a low-privileged user to link their zones to banners or campaigns owned by other managers on...

curl: FTP entrypath accepts 0xFF (Telnet IAC) through incomplete ISCNTRL filter, sent on wire via CWD on connection reuse

Summary A malicious FTP server can embed byte 0xFF Telnet IAC in the PWD response path. The ISCNTRL filter at lib/ftp.c:3095 expands to ISLOWCNTRLx || IS7Fx, which is unsigned charx entrypath line 3131 and sent verbatim via CWD %s on connection reuse line 849. I understand the KNOWNRISK.md and...

curl: no_proxy IDN mismatch: Unicode hostnames bypass proxy exclusion list

Summary Unicode IDN hostnames in noproxy are never converted to punycode before comparison, so they never match the request hostname which curl has already converted to punycode. A user who types noproxy="bücher.de" and requests http://bücher.de/ expects the proxy to be bypassed. Instead curl...

curl: Improper enforcement of CURLOPT_SOCKS5_AUTH due to missing reuse key validation in libcurl

detail: - lib/setopt.c:1048-1051 - CURLOPTSOCKS5AUTH is stored into data-set.socks5auth - lib/socks.c:597-641 socks5req0init - fresh SOCKS5 handshake reads data-set.socks5auth, if BASIC is not allowed, it clears sx-proxyuser at 618-620, so username/password auth is not even offered -...

curl: Internal application wrapper or script using curl

While -guid is not a standard or documented curl command, a Command Injection or Argument Injection vulnerability within a specific application that wraps curl. Security Analysis: curl -guid -url example.com 1. Status of the "-guid" FlagUndocumented/Non-existent: The official curl binary does not...

curl: ignoring 'options' when doing connection reuse

libcurl contains a significant logic flaw in its connection pool matching mechanism. When a transfer specifies a required authentication policy—such as a specific SASL mechanism e.g., ;AUTH=GSSAPI or a restricted set of SSH authentication types CURLOPTSSHAUTHTYPES—libcurl fails to verify these...

curl: Negotiate connection reuse with wrong credentials when using CURLAUTH_ANY

Summary: CVE-2026-1965 fixed connection reuse for Negotiate authentication by adding urlmatchauthnego in urlmatchconn at line 1244 of lib/url.c. When a first handle authenticates via Negotiate Kerberos on a connection and that connection returns to the pool, a second handle with different...

curl: # SCURLOPT_SSH_KNOWNHOSTS and host fingerprint pins are silently bypassed when an SSH connection is reused from the connection pool

Product libcurl all versions, all platforms, compiled with USESSH Protocols affected: sftp://, scp:// --- Summary libcurl's connection pool reuse logic for SSH-based protocols SFTP, SCP contains a security gap that allows a transfer's server-verification policy to be completely ignored. When an...

curl: Data race in Curl_dnscache_add_negative() corrupts shared DNS cache — heap corruption and double-free when using CURLOPT_SHARE with CURL_LOCK_DATA_DNS

Data race in Curldnscacheaddnegative corrupts shared DNS cache — heap corruption and double-free when using CURLOPTSHARE with CURLLOCKDATADNS Severity: Medium CVSS 3.1: 6.5 — AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H --- Summary Curldnscacheaddnegative in lib/dnscache.c modifies the shared DNS cache ha...

arkadiyt-projects: Authorization header leak in ssrf_filter via cross-host redirect leads to credential theft and unauthorized access

A vulnerability was discovered in the ssrffilter library. The vulnerability allowed an attacker-controlled redirect target to receive credentials that were intended only for the original request origin. This was possible because ssrffilter followed redirects by rebuilding each redirected request...

curl: CVE-2026-5545: wrong reuse of HTTP Negotiate connection

Summary: An attacker sharing a libcurl multi-handle connection pool can hijack another user's Negotiate/Kerberos-authenticated connection. When User A authenticates via Negotiate SPNEGO and the connection returns to the pool, User B using CURLAUTHANY with different credentials gets that connectio...

curl: Cookie attribute TAB injection regression in Set-Cookie parsing

Overview | | | |---|---| | Component | lib/cookie.c — parsecookieheader | | Type | Security regression incomplete input validation | | CWE | CWE-20 Improper Input Validation | | Severity | LOW CVSS 3.1 estimated 3.7, comparable to CVE-2022-35252 | | Affected | curl 8.18.0 through current HEAD | |...

curl: Missing server identity policy enforcement in SSH connection reuse allows host key verification bypass via pool poisoning

Missing server identity policy enforcement in SSH connection reuse allows host key verification bypass via pool poisoning --- Summary sshconfigmatches in lib/url.c decides whether an existing SSH connection can be reused by a new transfer handle. It checks client key paths rsa, rsapub but never...

curl: Bypassing Strict SSH Server Verification via Connection Pool Reuse in libcurl

Summary There is a logic flaw in how libcurl manages its connection pool for SSH protocols SFTP/SCP. When evaluating an existing connection for reuse, sshconfigmatches in lib/url.c fails to compare server identity verification policies. By ignoring CURLOPTSSHKNOWNHOSTS, CURLOPTSSHHOSTPUBLICKEYMD5...

curl: Use-After-Free race condition in url_move_hostname() via shared connection pool

Summary: In lib/url.c, urlconnreuseadjust calls urlmovehostname which frees conn-host.rawalloc and conn-host.encalloc via Curlsafefree and Curlfreeidnconvertedhostname after Curlcpoolfind has already released the connection pool lock. A second thread doing a concurrent pool lookup still holds tha...

curl: HackerOne Vulnerability Report: libcurl SSL/TLS Identity Leakage via Insecure Connection Reuse

Summary libcurl contains a critical logic flaw in its connection reuse mechanism where transfers using the CURLOPTSSLCTXFUNCTION SSL context callback to establish a specific identity e.g., via client certificates can have their connections incorrectly reused by subsequent, unauthenticated transfe...