15368 matches found
Node.js: Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching
Vulnerability description not provided...
Revive Adserver: PHP code injection via delivery limitation logical
Vulnerability description not provided...
Node.js: Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings
Vulnerability description not provided...
Revive Adserver: Reflected XSS via clientid parameter in zone‑include.php
Vulnerability description not provided...
Revive Adserver: Blind SQL injection via clientid parameter in zone‑include.php
Vulnerability description not provided...
curl: SMTP Command Injection via CRLF in libcurl MAIL_FROM / MAIL_RCPT (lib/smtp.c)
Summary libcurl’s SMTP implementation fails to properly sanitize CRLF sequences in user-controlled inputs passed via CURLOPTMAILFROM and CURLOPTMAILRCPT. The function smtpparseaddress lib/smtp.c:277 extracts any data following the closing character as a raw suffix and incorporates it directly int...
curl: CVE-2026-5773: wrong reuse of SMB connection
A vulnerability was discovered in curl version 8.19.0 and earlier versions that support SMB. The vulnerability was due to the incorrect reuse of SMB connections across different shares on the same server. This led to data spoofing and access control bypass. The issue was caused by the lack of...
Revive Adserver: Missing access control when linking trackers to campaigns
A missing access control check was reported when linking trackers to campaigns through the "campaign-trackers.php" script of Revive Adserver 6.0.6 and earlier. A low-privileged user could link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent...
Revive Adserver: Missing access control when linking banners or campaigns to zones
A missing access control check was identified when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API. This could have allowed a low-privileged user to link their zones to banners or campaigns owned by other managers on...
curl: FTP entrypath accepts 0xFF (Telnet IAC) through incomplete ISCNTRL filter, sent on wire via CWD on connection reuse
Summary A malicious FTP server can embed byte 0xFF Telnet IAC in the PWD response path. The ISCNTRL filter at lib/ftp.c:3095 expands to ISLOWCNTRLx || IS7Fx, which is unsigned charx entrypath line 3131 and sent verbatim via CWD %s on connection reuse line 849. I understand the KNOWNRISK.md and...
curl: no_proxy IDN mismatch: Unicode hostnames bypass proxy exclusion list
Summary Unicode IDN hostnames in noproxy are never converted to punycode before comparison, so they never match the request hostname which curl has already converted to punycode. A user who types noproxy="bücher.de" and requests http://bücher.de/ expects the proxy to be bypassed. Instead curl...
curl: Improper enforcement of CURLOPT_SOCKS5_AUTH due to missing reuse key validation in libcurl
detail: - lib/setopt.c:1048-1051 - CURLOPTSOCKS5AUTH is stored into data-set.socks5auth - lib/socks.c:597-641 socks5req0init - fresh SOCKS5 handshake reads data-set.socks5auth, if BASIC is not allowed, it clears sx-proxyuser at 618-620, so username/password auth is not even offered -...
Node.js: TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections
Vulnerability description not provided...
Node.js: Improper Input Validation — HTTP Response Parser Unconditionally Accepts Bare CR in Status Line
The llhttp HTTP response parser in Node.js up to version 24.14.1 llhttp v9.3.0 and v9.3.1 was found to unconditionally accept a bare carriage return CR as a valid response status line terminator. This parsing asymmetry was present in the response path but not in the request parsing, enabling...
curl: Internal application wrapper or script using curl
While -guid is not a standard or documented curl command, a Command Injection or Argument Injection vulnerability within a specific application that wraps curl. Security Analysis: curl -guid -url example.com 1. Status of the "-guid" FlagUndocumented/Non-existent: The official curl binary does not...
curl: ignoring 'options' when doing connection reuse
libcurl contains a significant logic flaw in its connection pool matching mechanism. When a transfer specifies a required authentication policy—such as a specific SASL mechanism e.g., ;AUTH=GSSAPI or a restricted set of SSH authentication types CURLOPTSSHAUTHTYPES—libcurl fails to verify these...
curl: Negotiate connection reuse with wrong credentials when using CURLAUTH_ANY
Summary: CVE-2026-1965 fixed connection reuse for Negotiate authentication by adding urlmatchauthnego in urlmatchconn at line 1244 of lib/url.c. When a first handle authenticates via Negotiate Kerberos on a connection and that connection returns to the pool, a second handle with different...
curl: # SCURLOPT_SSH_KNOWNHOSTS and host fingerprint pins are silently bypassed when an SSH connection is reused from the connection pool
Product libcurl all versions, all platforms, compiled with USESSH Protocols affected: sftp://, scp:// --- Summary libcurl's connection pool reuse logic for SSH-based protocols SFTP, SCP contains a security gap that allows a transfer's server-verification policy to be completely ignored. When an...
curl: Data race in Curl_dnscache_add_negative() corrupts shared DNS cache — heap corruption and double-free when using CURLOPT_SHARE with CURL_LOCK_DATA_DNS
Data race in Curldnscacheaddnegative corrupts shared DNS cache — heap corruption and double-free when using CURLOPTSHARE with CURLLOCKDATADNS Severity: Medium CVSS 3.1: 6.5 — AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H --- Summary Curldnscacheaddnegative in lib/dnscache.c modifies the shared DNS cache ha...
arkadiyt-projects: Authorization header leak in ssrf_filter via cross-host redirect leads to credential theft and unauthorized access
A vulnerability was discovered in the ssrffilter library. The vulnerability allowed an attacker-controlled redirect target to receive credentials that were intended only for the original request origin. This was possible because ssrffilter followed redirects by rebuilding each redirected request...
curl: CVE-2026-5545: wrong reuse of HTTP Negotiate connection
Summary: An attacker sharing a libcurl multi-handle connection pool can hijack another user's Negotiate/Kerberos-authenticated connection. When User A authenticates via Negotiate SPNEGO and the connection returns to the pool, User B using CURLAUTHANY with different credentials gets that connectio...
curl: Cookie attribute TAB injection regression in Set-Cookie parsing
Overview | | | |---|---| | Component | lib/cookie.c — parsecookieheader | | Type | Security regression incomplete input validation | | CWE | CWE-20 Improper Input Validation | | Severity | LOW CVSS 3.1 estimated 3.7, comparable to CVE-2022-35252 | | Affected | curl 8.18.0 through current HEAD | |...
curl: Missing server identity policy enforcement in SSH connection reuse allows host key verification bypass via pool poisoning
Missing server identity policy enforcement in SSH connection reuse allows host key verification bypass via pool poisoning --- Summary sshconfigmatches in lib/url.c decides whether an existing SSH connection can be reused by a new transfer handle. It checks client key paths rsa, rsapub but never...
curl: Bypassing Strict SSH Server Verification via Connection Pool Reuse in libcurl
Summary There is a logic flaw in how libcurl manages its connection pool for SSH protocols SFTP/SCP. When evaluating an existing connection for reuse, sshconfigmatches in lib/url.c fails to compare server identity verification policies. By ignoring CURLOPTSSHKNOWNHOSTS, CURLOPTSSHHOSTPUBLICKEYMD5...
curl: Use-After-Free race condition in url_move_hostname() via shared connection pool
Summary: In lib/url.c, urlconnreuseadjust calls urlmovehostname which frees conn-host.rawalloc and conn-host.encalloc via Curlsafefree and Curlfreeidnconvertedhostname after Curlcpoolfind has already released the connection pool lock. A second thread doing a concurrent pool lookup still holds tha...
curl: HackerOne Vulnerability Report: libcurl SSL/TLS Identity Leakage via Insecure Connection Reuse
Summary libcurl contains a critical logic flaw in its connection reuse mechanism where transfers using the CURLOPTSSLCTXFUNCTION SSL context callback to establish a specific identity e.g., via client certificates can have their connections incorrectly reused by subsequent, unauthenticated transfe...
curl: HTTP/2 PUSH_PROMISE header loss on OOM bypasses scheme validation (regression of 2e8c922a89)
Summary: In lib/http2.c:1490, when curlmaprintf fails due to memory pressure, the push promise header is silently dropped but the callback returns success. If the lost header is the :scheme pseudo-header, the security check at line 733 that blocks HTTPS pushes over insecure connections is skipped...
arkadiyt-projects: Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes
A path traversal vulnerability was discovered in the protodump tool. The vulnerability allowed an attacker to influence the output filename construction and bypass the containment check, enabling writes outside the intended output directory. The vulnerability was caused by the use of...
arkadiyt-projects: SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48)
A vulnerability was discovered in the ssrffilter library version 1.3.0. The library failed to block the NAT64 local-use IPv6 prefix 64:ff9b:1::/48, allowing such addresses to be treated as public. This enabled SSRF requests through /fetch to targets encoded under that prefix when routable in the...
curl: CRLF Injection in HAProxy PROXY Protocol via CURLOPT_HAPROXY_CLIENT_IP allows IP spoofing and protocol injection
Summary: CURLOPTHAPROXYCLIENTIP introduced in curl 8.2.0 accepts arbitrary strings without any validation or sanitization before injecting them into the HAProxy PROXY protocol v1 header. An attacker who can influence the value passed to this option e.g., through a web application that proxies...
curl: Unbounded GZIP Decompression Leading to Event-Loop Starvation
When libcurl is configured to decompress HTTP responses via CURLOPTACCEPTENCODING or the --compressed CLI flag, it lacks decompression bounds checking or a mechanism to yield execution during massive expansion tasks. If an attacker provides a highly compressed payload zip bomb, libcurl's underlyi...
curl: HTTP/2 server push accepts a non-authoritative :scheme=https over cleartext h2c, enabling HTTPS cache-key poisoning
Summary: I found that libcurl 8.19.0 accepts an HTTP/2 pushed stream on a cleartext h2c connection even when the server sends :scheme=https in PUSHPROMISE. In lib/http2.c, settransferurl builds the pushed handle URL from the server-supplied :scheme, :authority, and :path, but PUSHPROMISE validati...
curl: Security Vulnerability Report: Protocol Injection via Programmatic Options
Summary Multiple text-based protocol handlers in libcurl including FTP, SMTP, POP3, and IMAP are vulnerable to protocol command injection. This occurs when an application sets credentials or other protocol-specific options programmatically e.g., via CURLOPTUSERNAME, CURLOPTPASSWORD, or...
Node.js: Permission Model bypass via FileHandle.utimes() in the promises API
Vulnerability description not provided...
PortSwigger Web Security: Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption
A security issue was discovered in the /api-internal/login authentication endpoint of the internal login interface of Burp Suite DAST Enterprise. The issue was caused by improper input validation order, where the application processed user-supplied input before enforcing field-level validation...
Nextcloud: PIN bypass in PassCodeActivity via back button
A vulnerability was discovered in the PassCodeActivity of a certain application. The vulnerability allowed bypassing the PIN code by pressing the back button...
curl: HTTP/1.1 Response Desynchronization via conflicting CL/TE headers in Proxy CONNECT
Summary: curl fails to prioritize the Transfer-Encoding: chunked header over Content-Length in HTTP/1.1 proxy responses specifically 407/401 auth challenges, violating RFC 9112 Section 6.1. I have identified the root cause in cf-h1-proxy.c. In the response-handling loop around line 466, the code...
curl: CVE-2026-4873: connection reuse ignores TLS requirement
A vulnerability was discovered in libcurl's connection reuse for cleartext-upgrade mail protocols. The vulnerability was that the later transfer's CURLOPTUSESSL option was not properly included if a plaintext connection was already open and reusable. This affected the smtp://, pop3://, and imap:/...
AWS VDP: Health check errors silently dropped when channel buffer full
Component: pkg/plugin/plugin.go:153-156, pkg/plugin/pluginv2.go:156-158 Affected Version: aws-encryption-provider @ 4341c70 all versions Found by: Source audit TLP: TLP:Amber --- Summary When KMS operations fail, the error is sent to a buffered channel healthCheckErrc, size 100 via a non-blocking...
AWS VDP: Encryption context keys and values logged at INFO level
Component: cmd/server/main.go:101-106 Affected Version: aws-encryption-provider @ 4341c70 all versions Found by: Source audit TLP: TLP:Amber --- Summary The server startup code logs all encryption context key-value pairs at INFO level. Encryption context is metadata associated with KMS operations...
AWS VDP: V2Plugin.Decrypt panics on empty ciphertext (Remote DoS)
A vulnerability was discovered in the "aws-encryption-provider" component where the "V2Plugin.Decrypt" function accessed the ciphertext slice without checking if it was empty, leading to a panic and crashing the entire gRPC server process...
AWS VDP: V1Plugin.Decrypt panics on empty ciphertext (Remote DoS)
A vulnerability was discovered in the aws-encryption-provider component of the pkg/plugin/plugin.go file at revision 4341c70. The vulnerability caused the V1Plugin.Decrypt function to panic when passed an empty ciphertext, crashing the entire gRPC server process. This was due to the function...
DuckDuckGo: RCE + PAT Exfiltration via pull_request_target in privacy-configuration/auto-respond-pr.yml — Direct Supply Chain to All DDG Browsers
A vulnerability was discovered in the "auto-respond-pr.yml" GitHub Actions workflow of the "privacy-configuration" repository. The workflow used the "pullrequesttarget" trigger, which checked out the fork's repository as both the "base" and "PR" branches. This allowed an attacker to control the...
DuckDuckGo: RCE + Supply Chain Attack via pull_request_target in content-scope-scripts/semver-label.yml — Affects All DuckDuckGo Browsers
A vulnerability was discovered in the DuckDuckGo content-scope-scripts repository's GitHub Actions workflow. The workflow used the pullrequesttarget trigger without access controls, allowing untrusted code from fork pull requests to be checked out and executed. This could have led to remote code...
Node.js: Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)
Vulnerability description not provided...
curl: Function `do_pubkey()` can have out-of-bound read issue
Summary A 1-byte out-of-bounds heap read in dopubkey in lib/vtls/x509asn1.c. When parsing an RSA public key with a zero-length or all-zero modulus, the loop dereferences a pointer before checking bounds. Requires a non-OpenSSL TLS backend e.g., Mbed/Gnu. A certificate chain verification can trigg...
curl: Exposed .git/config File Leading to Potential Sensitive Information Disclosure
Summary: The .git/config file is publicly accessible on the target server, which may expose sensitive repository configuration details. This indicates that the .git directory is improperly exposed, potentially allowing attackers to reconstruct the entire source code repository and extract sensiti...
Rocket.Chat: Unauthenticated file deletion via deleteFileMessage DDP method allows permanent destruction of any uploaded file
Vulnerability description not provided...
curl: Bearer Token Leaked to Attacker via .netrc Despite CVE-2026-3783 Fix
curl versions 8.19.0 and later were meant to fix CVE-2026-3783, which causes OAuth2 bearer tokens to leak on HTTP redirects when the user has a .netrc file configured. However, the vulnerability still exists in the current codebase. VULNERABILITY: When a curl user specifies an OAuth2 bearer token...
curl: HSTS accepted from HTTP origin behind HTTPS proxy
curl/libcurl appears to accept and persist Strict-Transport-Security from an http:// origin when the request is sent through an https:// proxy. After that, a later http:// request for the same host is automatically upgraded to https:// due to stored HSTS state. Affected versions 8.12.0 through...