Lucene search
K
HackeroneRecent

15365 matches found

Hacker One
Hacker One
added 2 days ago8 views

curl: heap-use-after-free in curl_easy_cleanup() called from callback

Summary: Curlclose lib/url.c:214 calls curlmultiremovehandledata-multi, data and ignores the return value. When curleasycleanup is invoked from within a write/read/progress/header callback, multi-incallback is TRUE, so curlmultiremovehandle lib/multi.c:818-819 returns CURLMRECURSIVEAPICALL withou...

5.8AI score
Exploits0
Hacker One
Hacker One
added 3 days ago8 views

curl: libcurl upload read callbacks miss recursive API guard, allowing prohibited multi API reentry and ASAN-confirmed UAF

Summary: Several libcurl upload read callback paths invoke the application-provided CURLOPTREADFUNCTION without marking the easy handle as being inside a callback. As a result, recursive multi APIs that are correctly rejected from ordinary callbacks are accepted from these upload read callback...

6AI score
Exploits0
Hacker One
Hacker One
added 3 days ago9 views

curl: setopt(VERIFYPEER) from callback bypasses TLS verify on connection reuse

Summary: Curlsslconnconfigupdate overwrites conn-sslconfig.verifypeer when curleasysetoptCURLOPTSSLVERIFYPEER, ... is called, with no handshake-state guard — only ifdata-conn. Since setopt is documented as callable from callbacks setopt.c:2930, an application can connect with verifypeer=0 accepti...

5.8AI score
Exploits0
Hacker One
Hacker One
added 3 days ago8 views

curl: CURLSHOPT_UNSHARE race can cause UAF in shared SSL session cache during HTTPS transfer

Summary CURLSHOPTUNSHARE can free a shared SSL session cache while another thread is starting a normal HTTPS transfer with the same share handle. The failing transfer reaches the cache through curleasyperform, during the OpenSSL handshake. libcurl appears to try to reject this kind of lifetime...

5.9AI score
Exploits0
Hacker One
Hacker One
added 6 days ago9 views

curl: ssh_config_matches is dead code: unauthorized SSH key reuse

Summary libcurl's SSH connection-reuse guard sshconfigmatches — added for CVE-2022-27782 and reaffirmed by CVE-2023-27538 — is dead code in every release since 7.83.1. It compares sshc-rsa / sshc-rsapub between a new transfer "needle" and a pooled connection, but on both sides those pointers are...

7.7CVSS6.7AI score0.02596EPSS
Exploits2
Hacker One
Hacker One
added 6 days ago16 views

curl: mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0

Summary When an application sets CURLOPTSSLVERIFYPEER=0 while keeping CURLOPTSSLVERIFYHOST=2 the default, the mbedTLS, wolfSSL, and rustls TLS backends silently skip the hostname-vs-certificate check. The OpenSSL, GnuTLS, and Schannel backends correctly preserve hostname checking under the same...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/06/25 12:17 p.m.16 views

curl: UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback

Summary: The CVE-2026-9080 fix re-fetches the shentry after the socket callback inside mevshentryupdate, because curleasypause called from that callback re-enters mevassess and can free the entry. The same re-fetch was not applied at the caller, mevpollsetdiff, which dereferences its own entry...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/25 7:56 a.m.8 views

curl: Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080)

Summary libcurl's event interface lets the application's socket callback CURLMOPTSOCKETFUNCTION call curleasypause. CVE-2026-9080 was issued for a use-after-free that this triggers, and the fix added a post-callback re-fetch of the socket-hash entry in the UPDATE leg mevshentryupdate,...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/25 7:5 a.m.8 views

curl: CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection

Summary The CURLOPTHAPROXYCLIENTIP option accepts an arbitrary string without validating that it is a valid IP address, and without stripping special characters such as \r\n CRLF or spaces. Because this value is embedded directly into the HAProxy PROXY protocol v1 header line, an attacker who can...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/06/22 3:21 p.m.26 views

Node.js: Node --run POSIX positional argument escaping allows shell command injection

Summary Node.js node --run -- attempts to append positional arguments to a package script after escaping each argument for the shell. On POSIX platforms, the escaping logic handles single quotes incorrectly. A positional argument containing a single quote can break out of the intended quoted...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/20 9:49 a.m.3 views

Nintendo: [Splatoon 3] Kick other players with NplnLogin message

A vulnerability was discovered that allowed players to kick other players from a Splatoon 3 game using an NplnLogin message...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/15 9:56 p.m.27 views

curl: Vulnerability Report: Buffer Overflow in Path Sanitization

Vulnerability Report: Buffer Overflow in Path Sanitization Summary Multiple buffer overflow vulnerabilities exist in the src/tooldoswin.c file due to insufficient bounds checking and improper memory management in path sanitization functions. Affected Components - sanitizefilename line 180 -...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/15 11:37 a.m.101 views

curl: Secure cookies leaked to HTTP origins through HTTPS forwarding proxy

Summary: When curl accesses an http:// origin through an HTTPS forwarding proxy, it sends Secure cookies in the request. The cookies travel in cleartext between the proxy and the origin server, visible to the proxy operator and anyone on that network path. curl also reports CURLINFOSCHEME as...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/06/15 12:13 a.m.31 views

curl: verify-release rebuilds from the tarball under verification, enabling pre-check command execution and false OK for a malicious curl release tarball

Summary: scripts/verify-release is documented as a way to independently verify a downloaded curl release tarball, but on curl-8.20.0 it extracts the tarball under verification and executes ./configure and ./scripts/dmaketgz before any trust decision is made. This creates a circular trust failure:...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/12 2:55 a.m.14 views

curl: CVE-2026-12064: proto-default skips SSH verification

Summary When a user invokes curl with a schemeless URL and --proto-default sftp or scp, the tool layer guesses the URL is HTTP and skips setting SSH security options CURLOPTSSHHOSTPUBLICKEYSHA256, CURLOPTSSHKNOWNHOSTS. However libcurl's runtime correctly applies --proto-default and connects via...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/06/11 8:27 a.m.21 views

curl: Duplicate chunked Transfer-Encoding lets a malicious origin smuggle a response across reused HTTP proxy connections

TL;DR A malicious HTTP origin can send Transfer-Encoding: chunked, chunked, gzip through a reusable HTTP proxy connection to bypass curl's "chunked must be last" guard, queue a forged HTTP response after its own response, and make curl parse that queued data as the response for a later request to...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/06/10 7:54 a.m.29 views

curl: Incomplete Suppression of Transfer-Encoding: chunked Header in HTTP/2 After Redirect From HTTP/1.1

When curl send a request with Transfer-Encoding: chunked using HTTP/1.1, and follows a redirect to an HTTP/2 endpoint, the uploadchunky flag is not properly reset. As a result, the Transfer-Encoding: chunked header is sent in the subsequent request even when HTTP/2 is negotiated/used. This violat...

5.3AI score
Exploits0
Hacker One
Hacker One
added 2026/06/10 5:0 a.m.7 views

curl: CVE-2026-11856: cross-origin Digest auth state leak

Summary: This issue is the HTTP sibling to the previously disclosed RTSP Digest auth leak. When an application uses libcurl and reuses the same easy handle for sequential transfers the documented best practice, the Digest authentication state captured from the first origin is silently sent to the...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/06/10 4:40 a.m.8 views

Revive Adserver: Reflected XSS in stats‑video.php via improperly encoded URL parameters

A reflected XSS vulnerability was discovered in the stats‑video.php script due to improper encoding of user input in the URL parameters...

6.1CVSS5.8AI score0.00224EPSS
Exploits0
Hacker One
Hacker One
added 2026/06/09 2:20 a.m.16 views

curl: Trailing-Dot Hostname in Redirect Silently Strips Client Certificate and Auth Credentials

Summary When curl follows a redirect where the Location header contains a hostname with a trailing dot e.g., https://example.com./path, Curlpeerequal in peer.c:321-330 compares the original hostname example.com against the redirect target example.com. using curlstrequal, which does not normalize...

5.7CVSS6.6AI score0.01595EPSS
Exploits1
Hacker One
Hacker One
added 2026/06/09 1:45 a.m.27 views

curl: curl-ipv4-percent-normalization-SSRF

Summary: six or fewer sentences describing the issue in your own human voice and optionally a short proof-of-concept script Affected version Which curl/libcurl version are you using to reproduce? On which platform? curl -V typically generates good output to include Steps To Reproduce: add details...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/06/08 8:24 a.m.7 views

curl: CVE-2026-11564: Native CA trust persist

A vulnerability was discovered in the libcurl library where a native CA trust could persist after an easy handle switches to custom CA material. The vulnerability was found to affect builds of libcurl that enable the native CA trust feature. The issue stemmed from the fact that the library did no...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/08 7:54 a.m.7 views

curl: CVE-2026-11586: WS Auto-PONG memory exhaustion

Summary: TL;DR: a remote WebSocket peer can make default curl/libcurl grow memory until timeout or OOM by sending legal PING frames while refusing to read the client's automatic PONGs. curl automatically replies to each received WebSocket PING with a PONG unless CURLWSNOAUTOPONG is set. In...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/06/08 3:11 a.m.933 views

curl: SSH/SFTP connection reuse can bypass SSH key identity after ssh_config_matches removal

Summary: libcurl's SSH/SFTP connection reuse logic no longer binds a pooled SSH connection to the SSH key identity requested by the new transfer. After sshconfigmatches was removed, urlmatchprotoconfig again has no SSH-specific check for CURLOPTSSHPUBLICKEYFILE or CURLOPTSSHPRIVATEKEYFILE. An...

7.7CVSS7.5AI score0.02596EPSS
Exploits2
Hacker One
Hacker One
added 2026/06/06 1:49 p.m.22 views

curl: SOCKS5 no-auth accepted despite username/password-only authentication

Summary: curl/libcurl appears to allow unauthenticated SOCKS5 negotiation even when the caller explicitly configures username/password-only SOCKS5 authentication. With --socks5-basic and SOCKS5 credentials set, curl still advertises both SOCKS5 method 0x00 no authentication and 0x02...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/06/06 11:38 a.m.19 views

curl: libcurl: HTTP/1.x bare LF byte in response header value enables cookie jar pollution and POST body/credential exfiltration via redirect — RC=0, curl 8

Summary curl's HTTP/1.x response header parser splits header lines using a single memchrbuf, '\n', blen call lib/http.c:4457, with no awareness of whether the current position is inside a quoted-string value. A server response containing any header field whose value embeds a raw LF byte \x0a caus...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/06/05 11:44 a.m.47 views

curl: GnuTLS OCSP stapling accepts unrelated SingleResponse (no cert-ID binding)

Summary This report describes a variant of the publicly disclosed curl vulnerability CVE-2020-8286 OCSP stapling verification bypass, found in the GnuTLS TLS backend lib/vtls/gtls.c. The original CVE affected the NSS backend; this variant reproduces the same logical class of defect — accepting...

7.5CVSS6.8AI score0.04575EPSS
Exploits1
Hacker One
Hacker One
added 2026/06/05 7:50 a.m.7 views

Revive Adserver: XML‑RPC login leak exposes valid session ID enabling unauthorized API access

Vulnerability description not provided...

4.3CVSS5.8AI score0.00173EPSS
Exploits0
Hacker One
Hacker One
added 2026/06/05 3:50 a.m.6 views

curl: CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop

Summary: curl's QUIC UDP receive helper ignores zero-length UDP datagrams before counting them against the per-call packet budget. On Linux, recvmmsgpackets loops while pkts maxpkts, but if!mmsgi.msglen continue; runs before pkts is incremented. The recvmsgpackets backend has the same no-progress...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/06/04 10:17 a.m.6 views

Revive Adserver: CSRF in zone‑include.php allows unauthorized banner and campaign linking

The zone-include.php script in Revive Adserver 6.0.7 was vulnerable to a CSRF attack. Linking and unlinking banners or campaigns to zones could be triggered via crafted GET or POST requests without any verification of the CSRF token, allowing an attacker to perform these actions on behalf of an...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/06/04 8:3 a.m.9 views

Revive Adserver: PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting

Vulnerability description not provided...

8.8CVSS6.7AI score0.01975EPSS
Exploits1
Hacker One
Hacker One
added 2026/06/04 6:8 a.m.10 views

Revive Adserver: Stored XSS in maintenance tools via unescaped entity names

A stored XSS vulnerability was discovered in the maintenance tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without proper escaping when inconsistencies were detected in the maintenance-acl-check.php and maintenance-banners-check.php files...

5.4CVSS5.8AI score0.00199EPSS
Exploits0
Hacker One
Hacker One
added 2026/06/04 6:3 a.m.45 views

curl: OpenSSL TLS 1.2 session resumption accepts expired server certificates in libcurl

Summary curl's OpenSSL backend can accept a new TLS 1.2 HTTPS connection after the server certificate has expired if the connection resumes a previously cached TLS session. A full handshake made at the same time with the same certificate fails with CURLEPEERFAILEDVERIFICATION, but the resumed...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2026/06/04 1:45 a.m.28 views

Node.js: Incomplete Fix for CVE-2026-21637: OCSPRequest and resumeSession Events Crash Node.js TLS Server via Unhandled Synchronous Exceptions

Summary The March 2026 security release patched CVE-2026-21637 by wrapping SNICallback, ALPNCallback, and pskCallback invocations in try/catch blocks inside lib/internal/tls/wrap.js. That fix is present in v26.3.0. However, two other TLS callback paths in the same file were left unprotected: 1...

7.5CVSS6.1AI score0.01056EPSS
Exploits0
Hacker One
Hacker One
added 2026/06/03 11:4 p.m.8 views

Revive Adserver: PHP code injection in delivery-limitation `logical` validation bypass

A vulnerability in the delivery-limitation logical validation was reported. The vulnerability allowed bypassing the fix for CVE-2026-34916 by sending a disallowed but otherwise valid plugin identifier as type, or using the ox.setChannelTargeting XML-RPC API method...

8.8CVSS6.6AI score0.01975EPSS
Exploits1
Hacker One
Hacker One
added 2026/06/03 10:27 p.m.7 views

Revive Adserver: Reflected XSS via unsanitised refresh parameter in zone invocation tag

A missing sanitization of user input in the zone-include.php script of Revive Adserver 6.0.7 and earlier was reported. This vulnerability allowed a low-privileged user to perform reflected XSS attacks by exploiting the refresh parameter of the iFrame invocation tag...

6.1CVSS5.8AI score0.00222EPSS
Exploits0
Hacker One
Hacker One
added 2026/06/03 9:19 p.m.21 views

curl: DNS domain search list followed for extant domain missing A or AAAA records

Summary: Curl calls getaddrinfo to resolve a domain's addresses, however glibc will continue though the domain search list to find data even if it gets a NODATA response. When using AFUNSPEC in the aihints, this search will stop at the first domain with either an A or AAAA record, however when...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/06/03 9:0 p.m.7 views

Revive Adserver: Missing ownership validation allows cross‑manager tracker–campaign linking

A vulnerability was reported in Revive Adserver version 6.0.7 and earlier that allowed a low-privileged user to link their trackers to campaigns owned by other managers on the same instance. This was due to a lack of proper ownership validation in the tracker-campaigns.php script, which handled t...

4.3CVSS5.9AI score0.00287EPSS
Exploits1
Hacker One
Hacker One
added 2026/06/02 3:56 p.m.29 views

curl: PRE_PROXY change leaks stale Proxy Digest state across proxy-chain boundary

Summary After a Digest-authenticated HTTP proxy transfer, changing only CURLOPTPREPROXY on the same libcurl easy handle does not clear stale proxy Digest/auth state. If the new SOCKS pre-proxy resolves the same HTTP proxy hostname to a different proxy endpoint, the second proxy receives a...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/02 9:49 a.m.23 views

curl: RTSP Digest auth state leaks across origins on reused libcurl easy handle

Summary When a reused libcurl easy handle first authenticates to one RTSP origin with Digest authentication and is then switched to a different RTSP origin, libcurl can send the old origin's Digest authentication state to the new origin. The second RTSP server does not need to send a...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/02 9:6 a.m.22 views

curl: TFTP upload ignores --continue-at / CURLOPT_RESUME_FROM and leaks skipped local file prefix

Summary TFTP uploads ignore the configured resume offset. When a caller runs curl -C N -T file tftp://... or uses libcurl with CURLOPTUPLOAD and CURLOPTRESUMEFROM, curl should skip the first N bytes of the local source before uploading. Instead, the TFTP code sends the complete local file from by...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/01 5:41 p.m.17 views

PortSwigger Web Security: Incomplete fix for CVE-2022-35406: meta-redirect content-type check bypassable via parameter injection

The fix for CVE-2022-35406 1541301 stops Burp from following a redirect when the response Content-Type/Content-Disposition would prevent HTML rendering. The check substring-matches html in the raw Content-Type instead of parsing the media type. A text/plain response can smuggle the token via a...

4.3CVSS5.8AI score0.00623EPSS
Exploits0
Hacker One
Hacker One
added 2026/06/01 3:28 p.m.31 views

curl: libcurl 8.20.0 ignores HTTP Digest domain protection space and preemptively leaks Digest auth outside the declared scope

Summary: libcurl 8.20.0 ignores the server-declared HTTP Digest domain protection space for origin authentication and reuses stored Digest state too broadly on the same easy handle. After a successful Digest-authenticated request, a later request on the same easy handle can receive a preemptive...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/06/01 8:53 a.m.15 views

curl: heap-use-after-free in state.referer when CURLOPT_REFERER replaced or cleared after perform

Calling curleasysetoptcurl, CURLOPTREFERER, ... to replace or clear a previously-set referer after curleasyperform frees the old string via Curlsetstropt lib/setopt.c:87 but leaves data-state.referer.ptr pointing at the freed heap region. curleasygetinfoCURLINFOREFERER and curleasyduphandle then...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2026/05/31 5:50 p.m.21 views

curl: curl/libcurl 8.20.0 NOPROXY bypass via uppercase-hex IPv4 aliases leaks off-proxy Basic credentials to the configured proxy

Summary: curl/libcurl 8.20.0 fails to enforce CURLOPTNOPROXY, --noproxy, and NOPROXY consistently for uppercase-hex IPv4 aliases such as 0X7f.1 on glibc-based systems that accept these legacy numeric IPv4 forms. When a canonical IP literal is excluded from proxying, curl sends the canonical form...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/30 7:56 a.m.18 views

curl: SMTP connection reuse ignores --ssl-reqd / CURLOPT_USE_SSL and reuses a clear-text STARTTLS session on current master

Summary: Current master reintroduces a STARTTLS connection-reuse bug in SMTP. After commit 91dcf4e610 url: urlmatchdestination fix, curl/libcurl can reuse an already-established clear-text smtp:// session for a later logical request that explicitly requires TLS via --ssl-reqd or CURLOPTUSESSL =...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/29 9:18 a.m.22 views

curl: Low priority HSTS bypass in curl_easy_duphandle()

Summary: curleasyduphandle creates a fresh HSTS store for the cloned handle and populates it from the configured files and callbacks, but never copies entries acquired from Strict-Transport-Security response headers during the parent's lifetime. This means the client using a cloned handle may...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/28 6:53 p.m.20 views

curl: Proxy CONNECT response poisoning via authentication retry in cf-h1-proxy.c (libcurl)

Summary: When an HTTP/1.x proxy returns a 407 with no Content-Length and no chunked transfer-encoding, lib/cf-h1-proxy.c singleheader sets ts-keepon = KEEPONDONE but never sets ts-closeconnection = TRUE. Because ts-closeconnection and conn-bits.close both stay false, the CONNECT tunnel state...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/28 8:54 a.m.24 views

curl: curl External-Controlled Filename in `--url @file` Leads to Arbitrary File Overwrite

Vulnerability Report: curl External-Controlled Filename in --url @file Leads to Arbitrary File Overwrite 1. Product Overview curl is a widely used command-line tool and library libcurl for transferring data with URL syntax across multiple protocols such as HTTP, HTTPS, and FTP. It is preinstalled...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/28 3:28 a.m.15 views

curl: CURLOPT_COOKIE leaked to cross-origin redirect target — CURLOPT_UNRESTRICTED_AUTH bypass for the STRING_COOKIE path

Summary: httpcookies at lib/http.c:2532-2534 appends the value of CURLOPTCOOKIE the cookie supplied via -b to outgoing Cookie: headers without invoking Curlauthallowedtohost. As a result, when CURLOPTFOLLOWLOCATION is enabled and the initial origin issues a cross-origin redirect open redirector,...

5.7CVSS6.7AI score0.01595EPSS
Exploits1
Total number of security vulnerabilities15365