Lucene search
K
HackeroneRecent

15365 matches found

Hacker One
Hacker One
added 2026/05/26 5:19 a.m.20 views

curl: Mentioned unites are at the same time .Then we have to increase the bounty.

Summary: Once you done with the coding then we have to increase the bounty and then write the reviwe on the same Once we find the error then we have to submit the margin and find the events Affected version Use a language that is not susceptible to these issues. However, be careful of null byte...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/26 2:47 a.m.89 views

curl: TLS conn reuse and session cache ignore fsslctx callback and ssl_config_data flags ( incomplete fix variant of 7541ae569 )

Summary matchsslprimaryconfig in lib/vtls/vtls.c:194 and the session-cache key built by cfsslpeerkeybuild in lib/vtls/vtlsscache.c:240 both compare only struct sslprimaryconfig fields when deciding whether to reuse a TLS connection or cached session. Several fields that materially change the TLS...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/25 8:37 a.m.8 views

Node.js: Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS)

Vulnerability description not provided...

7.5CVSS5.8AI score0.02445EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/23 12:20 p.m.24 views

curl: lib/ldap.c follows attacker-controlled LDAP referrals and binds to a second server; WinLDAP builds leak current logon credentials (confirmed on Window

Summary: curl's generic LDAP backend lib/ldap.c does not disable automatic LDAP referral chasing, unlike lib/openldap.c, which explicitly sets LDAPOPTREFERRALS to LDAPOPTOFF. As a result, a malicious first-hop LDAP server can return a referral to an attacker-controlled second LDAP server and caus...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/22 3:13 a.m.7 views

curl: CVE-2026-9546: sending old referer

Summary: libcurl documents that CURLOPTREFERER can be set to NULL to disable the Referer header again, but doing so after a transfer does not clear the cached per-handle referer state. As a result, the next HTTP request on the same easy handle can still send the previous request's Referer: value ...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/21 10:58 a.m.6 views

curl: CVE-2026-9545: exposing HTTP/3 early data

Summary: When the ngtcp2 HTTP/3 backend reuses a TLS session that advertises early data support, cfngtcp2onsessionreuse initializes the HTTP/3 connection state and marks the connection filter as connected before the new QUIC/TLS handshake has completed. The request send path can then reach...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/05/21 7:5 a.m.44 views

curl: curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication

Summary: When curl/libcurl is built with the GnuTLS backend, the current HTTPS server-certificate validation path verifies the trust chain and hostname but does not enforce TLS server Extended Key Usage semantics. As a result, a leaf certificate that chains to a trusted CA, matches the requested...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/21 6:31 a.m.28 views

Node.js: Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)

I discovered a memory corruption vulnerability in Node.js's native UTF-8 string decoding path src/stringbytes.cc. When Buffer.prototype.toString'utf8' is called on a Buffer backed by a SharedArrayBuffer, the underlying native code performs a validate-then-convert sequence without copying the data...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2026/05/20 7:43 p.m.36 views

curl: Heap-OOB read in urlapi `redirect_url()` via `CURLU_GUESS_SCHEME` + `CURLU_NO_GUESS_SCHEME` flow

Hi all, We've found an issue in lib/urlapi.c where redirecturl reads past the end of a heap buffer when the source URL it operates on lacks a "scheme://" prefix. This is reachable through documented public APIs curlurlset when the caller mixes CURLUGUESSSCHEME with a subsequent CURLUNOGUESSSCHEME...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/20 7:40 p.m.7 views

curl: CVE-2026-9547: SSH improper host validation

Hi all, We've found an issue in lib/vssh/libssh.c where the libssh backend maps SSHKNOWNHOSTSOTHER to CURLKHMATCHMISSING instead of CURLKHMATCHMISMATCH. libssh documents SSHKNOWNHOSTSOTHER as "The server gave us a key of a type while we had another type recorded. It is a possible attack."...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/20 7:35 p.m.20 views

curl: Use-after-free in `curl_easy_duphandle()` with HTTP/2 stream-dependency tree

Hi all, We've found an issue in lib/easy.c where curleasyduphandle shallow-copies set.priority, so the original and the duplicate end up holding two independent pointer-typed variables that both reference the same heap-allocated Curldataprionode chain. Freeing the chain from one side leaves the...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/20 7:31 p.m.6 views

curl: CVE-2026-10536: HTTP/2 stream-dependency tree UAF

Use-after-free in curleasyreset with HTTP/2 stream-dependency tree Hi all, We've found an issue in lib/easy.c where curleasyreset bypasses dataprioritycleanup before clearing data-set, leaving the HTTP/2 stream-dependency tree with dangling pointers to the reset handle. The current curleasyreset ...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/20 10:49 a.m.17 views

curl: CVE-2026-9079: stale proxy password leak

Product Product name: curl / libcurl Product link: https://github.com/curl/curl Suggested CWE: CWE-226: Sensitive Information in Resource Not Removed Before Reuse https://cwe.mitre.org/data/definitions/226.html; alternative CWE-200: Exposure of Sensitive Information to an Unauthorized Actor...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/20 1:40 a.m.34 views

curl: curl cross-origin HTTPS redirect reuses TLS client certificate for unintended second-origin mTLS authentication

Summary: When curl follows an HTTPS redirect to a different origin under normal -L / CURLOPTFOLLOWLOCATION behavior, it still presents the configured TLS client certificate to the redirected-to HTTPS server. This happens without --location-trusted / CURLOPTUNRESTRICTEDAUTH, even though curl alrea...

5.4AI score
Exploits0
Hacker One
Hacker One
added 2026/05/19 10:4 p.m.7 views

curl: CVE-2026-9080: UAF after pause in socket callback

Hi all, We've found a heap-use-after-free in lib/multiev.c triggered by calling curleasypause from within a CURLMOPTSOCKETFUNCTION callback. ASAN-confirmed with the self-contained reproducer below. Affected versions: 8.13.0 – 8.20.0 current. The entry-action write line 280 has been vulnerable sin...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/19 11:30 a.m.34 views

curl: curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write

Summary: The curl CLI's --skip-existing option performs a separate existence check before the download body is written. In the verified path, curl first calls stat on the target pathname and decides "the file does not exist, so continue", but it does not keep an fd bound to that decision. The...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/18 11:47 a.m.9 views

curl: CVE-2026-8927: env-set cross-proxy Digest auth state leak

AI-assisted preparation note I used AI assistance to help structure and format this report, but the technical findings, PoC, and verification results are based on local testing against curl/libcurl 8.20.0. Summary I found a possible incomplete-fix variant of CVE-2026-7168 in libcurl 8.20.0. The...

5.3CVSS5.5AI score0.00471EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/18 8:49 a.m.25 views

Revive Adserver: PHP code injection via unexpected delivery limitation parameter

A vulnerability was reported in Revive Adserver 6.0.6 and earlier versions where user input was not properly validated when saving delivery limitations. This allowed a low-privileged user to inject malicious PHP code into the compiledlimitations field, which could then be executed during banner...

8.8CVSS5.9AI score0.0045EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/17 7:12 a.m.14 views

curl: CRLF Injection via Custom HTTP Headers

Summary: libcurl writes user-supplied custom headers directly into the HTTP request buffer without stripping \r\n characters. The raw input pointer origp in Curladdcustomheaders lib/http.c is serialized verbatim into the outgoing request using curlxdynaddfreq, "%s\r\n", origp instead of using the...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/16 9:24 p.m.119 views

curl: Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers

Summary: libcurl's connection pool match logic does not include the CURLOPTHAPROXYPROTOCOL setting or the CURLOPTHAPROXYCLIENTIP value in its connection match key. Two transfers issued through the same Curleasy or via a shared connection cache CURLLOCKDATACONNECT therefore share one TCP connectio...

7.5CVSS7AI score0.00715EPSS
Exploits9
Hacker One
Hacker One
added 2026/05/16 2:59 a.m.24 views

curl: SSL session-cache peer key omits signature_algorithms: strict-sigalg handle silently resumes a permissive sibling's session

CURLOPTSSLSIGNATUREALGORITHMS policy bypass: SSL session cache key omits sigalgs, allowing a strict-sigalg handle to resume a session negotiated under a permissive policy AI disclosure This report was prepared with the assistance of an AI coding assistant Claude. The behavioral diff pre/post patc...

7.5CVSS6.7AI score0.03721EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/15 4:29 p.m.9 views

AWS VDP: Firecracker Out-of-bounds Read/Write Local Privilege Escalation Vulnerability

A vulnerability was discovered in Firecracker versions up to 1.15.1 that could allow a malicious guest to bypass protection mechanisms and perform out-of-bounds read and write operations on the virtio PCI queue. The vulnerability was caused by inconsistencies in the handling of queue activation...

8.7CVSS5.8AI score0.00208EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/15 2:27 a.m.32 views

Node.js: NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset

Summary: A 19-byte malformed SQLite changeset passed to Node.js node:sqlite DatabaseSyncapplyChangeset causes a native NULL pointer dereference and terminates the Node.js process. Description: The built-in Node.js node:sqlite API exposes DatabaseSyncapplyChangesetchangeset, options, which accepts...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 6:30 p.m.25 views

curl: NULL pointer dereference in libcurl URL API redirect_url() with CURLU_DEFAULT_SCHEME

Summary A NULL pointer dereference appears to exist in libcurl's URL API path when curlurlset handles a relative URL together with CURLUDEFAULTSCHEME on a CURLU handle that has host/path information but no stored u-scheme. The issue is in lib/urlapi.c inside redirecturl, where u-scheme is used in...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 12:39 p.m.37 views

curl: TLS peer-verification bypass via mid-transfer ssl_config mutation

Hi all, We want to report a TLS peer-verification issue on current master. The trigger is narrow and requires a specific application usage pattern, but when it fires, a transfer that requests CURLOPTSSLVERIFYPEER=1 can reuse a TLS connection that was established with peer verification disabled...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 12:13 p.m.36 views

curl: cookie: case-insensitive path comparison in replace_existing() allows cookie eviction across distinct paths

Hi all, replaceexisting in lib/cookie.c compares cookie paths case-insensitively at two sites. On case-sensitive servers, /Admin and /admin are distinct resources and are supposed to produce distinct jar entries. Because libcurl conflates them, a Set-Cookie at one path silently evicts the cookie ...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 11:47 a.m.9 views

curl: CVE-2026-8925: SASL double-free

Hi all, We found a double-free in the GSASL authentication path — Curlauthgsaslissupported frees gsasl-ctx on a failed gsaslclientstart but never nulls the pointer, and then Curlauthgsaslcleanup frees it again unconditionally at connection teardown. The bug lives in two spots...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 11:38 a.m.7 views

curl: CVE-2026-8926: password leak with netrc and user in URL

Hey all, Before the following report, I just want to point to a comment from our scanner, where it seems it was already picked up but it was dismissed and the PR was closed later by another commit - https://github.com/curl/curl/pull/20932issuecomment-4072903895 Nonetheless, it appears this issue...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 11:36 a.m.14 views

curl: HTTPS proxy connection reuse lets one easy handle inherit another handle's mTLS-authenticated proxy session

Summary: libcurl can reuse an already mTLS-authenticated HTTPS proxy TLS connection for a different easy handle even when that second handle does not have the proxy private key required to establish the session itself. The issue happens because the HTTPS proxy connection reuse identity does not...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 11:36 a.m.26 views

curl: CURLOPT_PROXY_CAINFO_BLOB silently activates native CA store on Apple builds

Hi all, CURLOPTPROXYCAINFOBLOB introduced 7.77.0 never sets proxyssl.customcablob. On USEAPPLESECTRUST / CURLCANATIVE builds this causes curl to silently fall back to the system keychain for proxy TLS verification, nullifying the caller's blob-only trust policy. --- Root cause lib/setopt.c handle...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 11:14 a.m.24 views

curl: libssh SFTP initialization ignores CURLOPT_TIMEOUT, hangs indefinitely

Hi all, The libssh backend in lib/vssh/libssh.c ignores CURLOPTTIMEOUT / --max-time during SFTP subsystem negotiation. A server that completes SSH authentication and then stalls before answering the SSHFXPINIT packet will pin the curl process indefinitely — no timeout fires, no error is returned,...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 11:6 a.m.24 views

curl: Schannel custom-CA path skips Extended Key Usage enforcement

Hi all, We believe the Schannel custom-CA verification path in lib/vtls/schannelverify.c may skip Extended Key Usage enforcement. In particular, a certificate that chains to the trusted custom CA but contains only id-kp-clientAuth, rather than id-kp-serverAuth, may pass peer verification on Windo...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 10:48 a.m.32 views

curl: HTTP/3 paused transfer buffers incoming data without bound up to ~1 GiB

Hi all, When a libcurl application's CURLOPTWRITEFUNCTION returns CURLWRITEFUNCPAUSE, libcurl routes subsequent incoming body data through cw-pause lib/cw-pause.c. The bufq inside cw-pause is initialised with BUFQOPTSOFTLIMIT and a chunk size of 16 KiB lib/cw-pause.c:51-52, which causes bufq to...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 10:40 a.m.34 views

curl: rustls backend silently ignores CURLOPT_CRLFILE when native CA store is active

Hi all, When the rustls backend is configured to use the OS native CA store --ca-native / CURLSSLOPTNATIVECA, any CRL file supplied via --crlfile / CURLOPTCRLFILE is silently ignored. The option is accepted — CURLEOK from curleasysetopt, exit 0 from the command line — and revoked certificates pas...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 10:35 a.m.37 views

curl: Trailing-dot IPv4 URL bypasses IP-address guard, allows wildcard DNS SAN match

Hi all, Sorry to ruin anybody's day, but we've discovered another issue when it comes to dots. We've found a TLS certificate verification bypass that lets a trailing-dot IPv4 URL -- https://127.0.0.1./ -- pass peer authentication against a wildcard DNS SAN certificate such as DNS:.0.0.1. The IP...

4.3CVSS5.9AI score0.01118EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/14 7:47 a.m.18 views

Mozilla: Taskcluster web-server OAuth2 authorization codes are reusable and the exchange handler checks the wrong expiry column

The Taskcluster web-server's OAuth2 token-exchange handler did not consume authorization codes and did not enforce the authorization-code expiry. A leaked authorization code could be replayed to mint additional bridge access tokens for the original user, past the 10-minute window required by the...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 2:27 a.m.43 views

Rocket.Chat: Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check

Vulnerability description not provided...

7.5CVSS5.8AI score0.00283EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/13 11:33 p.m.40 views

curl: TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0

The now-well-known CURLOPTSSLVERIFYHOST-bypass-when-CURLOPTSSLVERIFYPEER=0 defect exists in three of curl's TLS backends: rustls EXPERIMENTAL, mbedTLS, and wolfSSL DNS hostnames only. The documented contract at docs/libcurl/opts/CURLOPTSSLVERIFYPEER.md:57-59: The check that the host name in the...

5.8CVSS6.5AI score0.04888EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/13 10:42 p.m.32 views

curl: HTTP/2 proxy CONNECT tunnel unbounded 1xx chain (missing Curl_bump_headersize cap in cf-h2-proxy.c)

A malicious HTTPS-on-HTTP/2 proxy can grow a libcurl client's resident set without bound during the CONNECT phase by streaming 1xx informational responses. The CVE-2023-38039 cap MAXHTTPRESPHEADERSIZE, 300 KiB, enforced through Curlbumpheadersize is not applied on the HTTP/2 proxy path. The HTTP/...

7.5CVSS6.6AI score0.62246EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/13 10:12 p.m.26 views

curl: HSTS multi-trailing-dot bypass-ish: possible incomplete fix for CVE-2022-30115

Hi all, Honestly, I'm not completely certain about this issue, but I think the CVE-2022-30115 fix "HSTS bypass via trailing dot" is incomplete: the same asymmetry exists for hostnames with two or more trailing dots, so http://example.com../ still gets sent in plaintext when there's a valid HSTS...

4.3CVSS6.8AI score0.01118EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/13 9:54 p.m.260 views

curl: Credentials forwarded to HTTP after HTTPS→HTTP same-port redirect — url_set_data_creds uses scheme-blind comparator

Hi all, The recent creds: hold credentials refactor — commit 8f71d0fde5 2026-05-11 https://github.com/curl/curl/commit/8f71d0fde5 — introduced a credential-leak regression on HTTPS→HTTP same-port redirects. -u user:pass and --oauth2-bearer both end up in cleartext after a 302 from https://h:N/ to...

5.7CVSS6.7AI score0.01595EPSS
Exploits2
Hacker One
Hacker One
added 2026/05/13 9:50 p.m.22 views

curl: CURLOPT_HSTS_CTRL disables shared HSTS without share guard — use-after-free and double-free

Hi all, CURLOPTHSTSCTRL set to a value without CURLHSTSENABLE unconditionally frees the easy's HSTS object — even when that object is shared via a CURLSH. The result is a use-after-free and a double-free on the shared 48-byte struct hsts block when the share or any other linked easy is later torn...

9.8CVSS6.7AI score0.03333EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/13 9:34 p.m.7 views

curl: CVE-2026-8932: incomplete mTLS config matching in conn reuse

Hi all, This report and my multiple subsequent ones may come as a surprise, as I was assured that curl now had zero vulnerabilities in it. Nonetheless, I think the CVE-2022-27782 fix "TLS and SSH connection too eager reuse", commit f18af4f874 2022-05-09, "tls: check more TLS details for connectio...

7.5CVSS6.6AI score0.02596EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/13 9:30 p.m.6 views

curl: CVE-2026-8924: trailing dot domain super cookie

Summary: A PSL-enabled curl build rejects a canonical public suffix cookie such as Domain=co.uk, but accepts the trailing-dot variant Domain=co.uk. when the request host also uses a trailing dot. In the reproduced case, a response from foo.co.uk. sets Set-Cookie: trail=1; Domain=co.uk.; Path=/, a...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/10 11:9 p.m.26 views

curl: Kerberos/SPNEGO Connection Reuse Vulnerability

Kerberos/SPNEGO Connection Reuse Vulnerability in curl Summary curl reuses HTTP connections across different users without checking Kerberos state. User B's request can inherit User A's GSS security context, allowing authentication bypass. Affected Versions All curl versions with Kerberos support...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/09 6:25 p.m.16 views

Khan Academy: 1-Click Account Takeover via Open Redirect through Regex Bypass in Domain Validation

A vulnerability was discovered in the Khan Academy platform that allowed an attacker to achieve full account takeover of any user. The vulnerability was caused by an unescaped dot flaw in the regular expression used to validate redirect URLs. This allowed the attacker to register a malicious doma...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/05/09 1:45 p.m.27 views

Liberapay: another liberapay member team twitter account broken Link Hijacking via Expired Twitter Account Link

Hello again i discovered that there is another Liberapay profile of Liberapay team member at liberapay.com/mdvhimself contains a link to an expired Twitter account, creating a Broken Link Hijacking BLH vulnerability. An attacker could register the expired handle and control what appears to be an...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/08 6:18 p.m.22 views

Liberapay: Liberapay member team twitter account broken Link Hijacking via Expired Twitter Account Link

The profile of a Liberapay team member contained a link to an expired Twitter account, creating a broken link hijacking vulnerability. The expired Twitter account link was displayed on the member's Liberapay profile and donation page, falsely confirming to donors that the account was legitimate a...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/08 3:31 p.m.5 views

curl: CVE-2026-8458: wrong reuse for different services

Summary: I found an incomplete-fix variant of CVE-2026-5545 in curl/libcurl 8.20.0. libcurl 8.20.0 still wrongly reuses an HTTP Negotiate-authenticated connection for a later request to the same host even when the requested service principal changes via CURLOPTSERVICENAME / --service-name. In my...

6.5CVSS6AI score0.00414EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/08 5:31 a.m.7 views

Node.js: Proxy credentials leaked in ERR_PROXY_TUNNEL error message

Vulnerability description not provided...

7.5CVSS5.8AI score0.00437EPSS
Exploits0
Total number of security vulnerabilities15365