curl: HTTP/2 PUSH_PROMISE header loss on OOM bypasses scheme validation (regression of 2e8c922a89)

Summary: In lib/http2.c:1490, when curlmaprintf fails due to memory pressure, the push promise header is silently dropped but the callback returns success. If the lost header is the :scheme pseudo-header, the security check at line 733 that blocks HTTPS pushes over insecure connections is skipped...

arkadiyt-projects: Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes

A path traversal vulnerability was discovered in the protodump tool. The vulnerability allowed an attacker to influence the output filename construction and bypass the containment check, enabling writes outside the intended output directory. The vulnerability was caused by the use of...

arkadiyt-projects: SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48)

A vulnerability was discovered in the ssrffilter library version 1.3.0. The library failed to block the NAT64 local-use IPv6 prefix 64:ff9b:1::/48, allowing such addresses to be treated as public. This enabled SSRF requests through /fetch to targets encoded under that prefix when routable in the...

curl: CRLF Injection in HAProxy PROXY Protocol via CURLOPT_HAPROXY_CLIENT_IP allows IP spoofing and protocol injection

Summary: CURLOPTHAPROXYCLIENTIP introduced in curl 8.2.0 accepts arbitrary strings without any validation or sanitization before injecting them into the HAProxy PROXY protocol v1 header. An attacker who can influence the value passed to this option e.g., through a web application that proxies...

curl: Unbounded GZIP Decompression Leading to Event-Loop Starvation

When libcurl is configured to decompress HTTP responses via CURLOPTACCEPTENCODING or the --compressed CLI flag, it lacks decompression bounds checking or a mechanism to yield execution during massive expansion tasks. If an attacker provides a highly compressed payload zip bomb, libcurl's underlyi...

curl: HTTP/2 server push accepts a non-authoritative :scheme=https over cleartext h2c, enabling HTTPS cache-key poisoning

Summary: I found that libcurl 8.19.0 accepts an HTTP/2 pushed stream on a cleartext h2c connection even when the server sends :scheme=https in PUSHPROMISE. In lib/http2.c, settransferurl builds the pushed handle URL from the server-supplied :scheme, :authority, and :path, but PUSHPROMISE validati...

curl: Security Vulnerability Report: Protocol Injection via Programmatic Options

Summary Multiple text-based protocol handlers in libcurl including FTP, SMTP, POP3, and IMAP are vulnerable to protocol command injection. This occurs when an application sets credentials or other protocol-specific options programmatically e.g., via CURLOPTUSERNAME, CURLOPTPASSWORD, or...

PortSwigger Web Security: Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption

A security issue was discovered in the /api-internal/login authentication endpoint of the internal login interface of Burp Suite DAST Enterprise. The issue was caused by improper input validation order, where the application processed user-supplied input before enforcing field-level validation...

curl: HTTP/1.1 Response Desynchronization via conflicting CL/TE headers in Proxy CONNECT

Summary: curl fails to prioritize the Transfer-Encoding: chunked header over Content-Length in HTTP/1.1 proxy responses specifically 407/401 auth challenges, violating RFC 9112 Section 6.1. I have identified the root cause in cf-h1-proxy.c. In the response-handling loop around line 466, the code...

curl: CVE-2026-4873: connection reuse ignores TLS requirement

A vulnerability was discovered in libcurl's connection reuse for cleartext-upgrade mail protocols. The vulnerability was that the later transfer's CURLOPTUSESSL option was not properly included if a plaintext connection was already open and reusable. This affected the smtp://, pop3://, and imap:/...

AWS VDP: Health check errors silently dropped when channel buffer full

Component: pkg/plugin/plugin.go:153-156, pkg/plugin/pluginv2.go:156-158 Affected Version: aws-encryption-provider @ 4341c70 all versions Found by: Source audit TLP: TLP:Amber --- Summary When KMS operations fail, the error is sent to a buffered channel healthCheckErrc, size 100 via a non-blocking...

AWS VDP: Encryption context keys and values logged at INFO level

Component: cmd/server/main.go:101-106 Affected Version: aws-encryption-provider @ 4341c70 all versions Found by: Source audit TLP: TLP:Amber --- Summary The server startup code logs all encryption context key-value pairs at INFO level. Encryption context is metadata associated with KMS operations...

AWS VDP: V2Plugin.Decrypt panics on empty ciphertext (Remote DoS)

A vulnerability was discovered in the "aws-encryption-provider" component where the "V2Plugin.Decrypt" function accessed the ciphertext slice without checking if it was empty, leading to a panic and crashing the entire gRPC server process...

AWS VDP: V1Plugin.Decrypt panics on empty ciphertext (Remote DoS)

A vulnerability was discovered in the aws-encryption-provider component of the pkg/plugin/plugin.go file at revision 4341c70. The vulnerability caused the V1Plugin.Decrypt function to panic when passed an empty ciphertext, crashing the entire gRPC server process. This was due to the function...

curl: Function `do_pubkey()` can have out-of-bound read issue

Summary A 1-byte out-of-bounds heap read in dopubkey in lib/vtls/x509asn1.c. When parsing an RSA public key with a zero-length or all-zero modulus, the loop dereferences a pointer before checking bounds. Requires a non-OpenSSL TLS backend e.g., Mbed/Gnu. A certificate chain verification can trigg...

curl: Exposed .git/config File Leading to Potential Sensitive Information Disclosure

Summary: The .git/config file is publicly accessible on the target server, which may expose sensitive repository configuration details. This indicates that the .git directory is improperly exposed, potentially allowing attackers to reconstruct the entire source code repository and extract sensiti...

curl: Bearer Token Leaked to Attacker via .netrc Despite CVE-2026-3783 Fix

curl versions 8.19.0 and later were meant to fix CVE-2026-3783, which causes OAuth2 bearer tokens to leak on HTTP redirects when the user has a .netrc file configured. However, the vulnerability still exists in the current codebase. VULNERABILITY: When a curl user specifies an OAuth2 bearer token...

curl: HSTS accepted from HTTP origin behind HTTPS proxy

curl/libcurl appears to accept and persist Strict-Transport-Security from an http:// origin when the request is sent through an https:// proxy. After that, a later http:// request for the same host is automatically upgraded to https:// due to stored HSTS state. Affected versions 8.12.0 through...

phpBB: Blind POST SSRF via Web Push Notification Endpoint

A vulnerability was discovered in phpBB 4.0.0-alpha1 that allowed registered users to register arbitrary URLs as their Web Push notification endpoint. The endpoint URL was stored without validation and later used by the phpBB server to send outbound HTTP POST requests, potentially leading to blin...

curl: Unescaped username in SASL DIGEST-MD5 response allows injection

Summary: The username is inserted into the digest-md5 response without escaping the quotes or backslashes. The HTTP digest path on line 863 in lib/vauth/digest.c uses authdigeststringquoted but the SASL does not line 478. Commit ac419bf sorted the HTTP in 2013. It looks like the SASL was moved in...

Basecamp: DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover

A DOM XSS vulnerability was discovered in the file import functionality of the Fizzy application. The vulnerability allowed an attacker to craft a malicious filename that, when previewed by the victim user, would inject a second form submission into the import page. This enabled the attacker to...

LinkedIn: Access to Deactivated LinkedIn Company Pages via Competitor Analytics API

A vulnerability was discovered in LinkedIn's Competitor Analytics API that permitted authenticated users to access analytics data for deactivated company pages...

curl: SMB READ_ANDX DataOffset not validated

Summary: in smbrequeststate case SMBDOWNLOAD curl reads two server-controlled fields from a READANDX response and uses them to decide where in the receive buffer file data starts. c / lib/smb.c / len = Curlread16leconst unsigned char msg + sizeofstruct smbheader + 11; off = Curlread16leconst...

Ruby on Rails: Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs

A vulnerability was discovered in the Rails::HTML::Sanitizer.alloweduri? method of the rails-html-sanitizer library. The method incorrectly returned true for entity-encoded control-character-split javascript: URLs, which could lead to potential security issues if the application relied on the...

Lovable VDP: Bypass of Open Redirect Fix on lovable.dev via /..// Path Traversal in redirect parameter

A bypass was discovered for a previously patched open redirect vulnerability on a web application. The original fix blocked certain payloads, but failed to account for path traversal sequences combined with double slashes. By supplying a specific redirect value, an attacker could still redirect...

curl: Curl_compareheader() fails to match multi-value HTTP headers

Summary Curlcompareheader in lib/http.c fails to scan the full value of HTTP headers for substring matches. Due to an incorrect loop condition, only the first byte position of the header value is checked. This causes curl to miss connection options like close when they appear as non-first tokens ...

curl: urlapi: off-by-one in custom scheme validation skips last character

Summary In lib/urlapi.c, the seturlscheme function has an off-by-one error when validating custom scheme names. The validation loop checks scheme0 twice once by ISALPHA, once in the loop and never checks the last character. This allows schemes ending with any arbitrary byte e.g., foo!, bar, bad/ ...

curl: NULL Pointer Dereference (DoS) in libcurl SFTP QUOTE command parsing due to missing return statement

Summary: A logic flaw in lib/vssh/libssh2.c causes a NULL pointer dereference when parsing SFTP QUOTE commands with trailing garbage. The function returnquoteerror is called to handle errors and free memory, but the return keyword is missing in several blocks e.g., lines 840, 857, 870. This allow...

curl: CURLOPT_UNRESTRICTED_AUTH Dangerous Default Documentation Gap

Summary: CURLOPTUNRESTRICTEDAUTH=1 instructs libcurl to send credentials to ALL hosts during redirect chains, 'possibly again and again as the following hosts can keep redirecting to new hosts.' The documentation explicitly warns this is dangerous, but the default behavior is also risky: curl onl...

curl: Connection Reuse Ignores OAuth Bearer Token Mismatch

Summary: The connection pool reuse function urlmatchconn in lib/url.c checks oauthbearer in its credential match block — but only for protocols marked as requiring per-connection credentials. For HTTP, OAuth bearer is passed as a header, not a protocol-level credential. If a libcurl application...

Nextcloud: Stored XSS in attachment-display exploitable through SameSite

A stored XSS vulnerability was discovered in the attachment-display feature of Roundcube. By uploading an HTML file and opening it through the display-attachment endpoint, the embedded script could execute under the Roundcube origin. The issue was caused by the lack of a restrictive Content...

IBM: Potential Subdomain Takeover on IBM.com domain.

A potential subdomain takeover on an IBM.com domain was reported to IBM, analyzed, and remediated...

curl: Use-After-Free in SMB connection reuse (req->path dangling pointer after needle destruction)

Summary A heap-use-after-free occurs in smbsendopen at lib/smb.c when curl processes two SMB URLs targeting the same host. The function smbparseurlpath sets req-path as a non-owning pointer into smbc-share connection-owned memory. During connection reuse, the needle connection is freed via...

curl: CVE-2026-3805: use after free in SMB connection reuse

Summary A heap-use-after-free occurs in smbsendopen at lib/smb.c when curl processes two SMB URLs targeting the same host. The function smbparseurlpath sets req-path as a non-owning pointer into smbc-share connection-owned memory. During connection reuse, the needle connection is freed via...

Lovable VDP: Business Logic Bypass Allows Setting “Read Access” Role Without Pro Plan Subscription

A business logic vulnerability was identified that allowed users on a free plan to generate an invitation link that assigned the "Read Access" role, which was intended to be restricted to users with a Pro Plan subscription. The vulnerability was triggered by manipulating the invitation creation...

AWS VDP: SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet)

Researchers This vulnerability was discovered through collaborative security research. Researchers: - █████ - █████████ - █████████ --- Summary AWS WAF fails to detect certain SQL injection payload variants. These payloads bypass the AWS WAF SQL injection detection rules and reach the backend...

Nextcloud: position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.

A vulnerability was discovered in the CSS sanitization process of the Roundcube webmail application. The sanitizer failed to properly handle the "position: fixed !important" CSS declaration, allowing an attacker to bypass the mitigation for fixed-position overlays. This could enable the creation ...

Nextcloud: Unquoted body background attribute enables CSS injection that bypasses remote image blocking

A vulnerability was discovered in Roundcube's HTML sanitizer that enabled CSS injection when the allowremote option was set to false. The sanitizer failed to quote the value of the background attribute from the email's element, allowing a crafted data: URI to terminate the url function and inject...

Nextcloud: SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail client. The vulnerability allowed attackers to bypass the "Block remote images" security feature by using SMIL animation attributes to load arbitrary external resources without validation. This could have enabled email...

Rocket.Chat: RBAC bypass on App log endpoints via `permissionRequired` typo — any authenticated user reads admin-only Enterprise App logs

Vulnerability description not provided...

Enjin: Unauthenticated File Upload to CDN

An unauthenticated file upload vulnerability was discovered in the NFT.io platform. The vulnerability allowed an unauthenticated user to upload files to the platform's content delivery network. The issue was reported and promptly fixed by the Enjin team, despite the low-impact nature of the...

AWS VDP: QuickSight Authorization Bypass: Chat Agents Accessible Despite Custom Permissions Denial

A vulnerability was discovered in Amazon Quick Suite formerly QuickSight that allowed users to access and interact with AI chat agents, despite administrative restrictions being in place to disable this functionality. The vulnerability was caused by the lack of proper server-side authorization...

curl: CVE-2026-3784: wrong proxy connection reuse with credentials

Summary libcurl may reuse an existing HTTP proxy CONNECT tunnel without matching proxy credentials when selecting a reusable connection. In lib/url.c, urlmatchproxyuse calls proxyinfomatches lib/url.c:930-935 → lib/url.c:589-595, and that matcher compares proxy type, host, and port but does not...

curl: In curl's SASL OAUTHBEARER authentication, including the SOH character (0x01) in the username corrupts the message structure.

Summary: This vulnerability arises because curl fails to validate the contents of the username when constructing OAuth2 authentication messages. Depending on the server-side implementation, this could lead to log tampering or credential spoofing. Affected version curl 8.18.0...

curl: LM Challenge-Response Hash Always Sent in SMB Authentication

LM Challenge-Response Hash Always Sent in SMB Authentication Summary The curl SMB client unconditionally computes and sends both the legacy LAN Manager LM and NT challenge-response hashes during SMB session setup. The LM hash is cryptographically broken — it splits the password into two 7-charact...

curl: SSTI leads to Command injection

Summary: Hi ,team i 'am new reasercher search for pleasure excuse me for poor technical details. the parmeter os is vulnerable to SSTI leads to command injection Affected version curl/7.55.1 Steps To Reproduce: i tried to injected the os parmeter curl -ospopen'sleep 10'.read --url...

curl: CVE-2026-3783: token leak with redirect and netrc

Summary When --oauth2-bearer is used with --netrc and curl follows a redirect, the bearer token leaks to the redirect target. The netrc bypass at http.c:822 skips Curlauthallowedtohost, allowing the token through. This is an incomplete fix for CVE-2025-14524 — the Dec 2025 SASL fix patched...

Lovable VDP: Open Redirect on lovable.dev via redirect parameter leads to phishing attacks

An open redirect vulnerability was discovered on the website lovable.dev. After logging in, a request was sent to a URL with a 'redirect' parameter. By supplying a backslash-prefixed value for the 'redirect' parameter, the user could be redirected to an external domain. This vulnerability could...

Ruby on Rails: ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection

A vulnerability was discovered in the ActiveStorage Disk Service component of Ruby on Rails. The vulnerability allowed an attacker to achieve arbitrary file write, read, and delete on the server's filesystem by injecting a malicious blob key. The vulnerability was due to insufficient validation o...

curl: Use after free in hyperfifo example

Summary: THIS ONLY IS AN ISSUE IN EXAMPLE CODE, NOT CURL ITSELF! In the hyperfifo example the event base is freed before the curlmulticleanup is called. This leads to a use after free in the addsocket callback, when libevent tries to lock a mutex in the base event during the curl shutdown. Link t...