368547 matches found
CVE-2026-9079
CVE-2026-9079 concerns libcurl: when instructed to clear proxy authentication credentials, it failed to do so, leaving the old credentials in place and potentially reused in subsequent transfers that should not know or use them. The description across multiple sources consistently states this cre...
CVE-2026-8932
libcurl (client library) is affected by CVE-2026-8932 due to incomplete mTLS config matching in the connection reuse logic. The vulnerability arises because TLS settings related to client certificates, notably the private key, were omitted from the configuration match checks, allowing a previousl...
CVE-2026-8927
CVE-2026-8927 affects libcurl: when reusing a handle for sequential transfers driven by environment-variable proxies, the proxy authentication state is not cleared between requests, causing leakage of the Proxy-Authorization header from an initial proxy (proxyA) to a subsequent proxy (proxyB). Af...
CVE-2026-8926
Curl 8.x is affected by CVE-2026-8926: when using a .netrc file to locate credentials and specifying a URL containing a username (without a password), curl could leak the password for another user configured in the same host’s .netrc file if there is no exact user match. The vulnerability concern...
CVE-2026-8925
The CVE-2026-8925 issue in curl is a SASL double-free where the GSASL context can be freed twice due to cleanup without clearing the pointer in between. This is specifically tied to curl’s SASL authentication path and can lead to a denial of service or arbitrary code execution in affected builds....
CVE-2026-8924
CVE-2026-8924 affects curl due to a flaw in its cookie parsing logic. A malicious HTTP server can set “super cookies” that bypass the Public Suffix List, allowing an attacker-controlled origin to inject cookies that curl scopes and transmits to unrelated third-party domains. The connected documen...
CVE-2026-8458
CVE-2026-8458 affects libcurl. A logical error can cause a reused connection to the same server that was authenticated under a different service when performing Negotiate-authenticated requests. The issue arises from libcurl’s connection pool reusing “recent connections” and failing to ensure mat...
CVE-2026-8286
CVE-2026-8286 concerns curl: a STARTTLS upgrade may reuse an existing live connection even when the TLS configuration does not match, indicating a flaw in how curl handles STARTTLS-based upgrades. Public references describe the issue consistently across multiple advisories (NVD, CVE list, OSV, Ub...
CVE-2026-12064
CVE-2026-12064 affects curl versions including 7.81.0 prior to 8.21.0. When using a schemeless URL with --proto-default for SFTP/ SCP, the tool layer fails to initialize SSH host verification options (CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS) while libcurl proceeds with the c...
CVE-2026-11856
CVE-2026-11856 describes a cross-origin Digest authentication state leak in libcurl: when performing a first transfer to hostA with Digest auth and then reusing the same handle for a second transfer to hostB, libcurl may forward the Authorization header intended for hostA to hostB. The issue is d...
CVE-2026-11586
The CVE-2026-11586 issue affects curl’s WebSocket handling: curl auto-responds to PING frames and has no upper bound on memory allocation for unacknowledged frames, enabling memory exhaustion via rapid PING floods. Affected are curl versions prior to 8.21.0 (e.g., 8.16.0). Remediation: upgrade to...
CVE-2026-11564
CVE-2026-11564 affects libcurl where a handle using default native CA trust may later switch to custom CA material and continue trusting the platform store, due to keeping previously used connections in a pool for reuse. Public docs describe the issue for versions affected by libcurl 8.17.0 prior...
CVE-2026-11352
CVE-2026-11352 affects curl/libcurl. A bug in QUIC UDP receive handling discards zero-length UDP datagrams toward the per-call budget, allowing a connected HTTP/3 server to continuously stream empty datagrams and cause a remote denial of service on the client. The provided documents do not specif...
CVE-2026-10536
libcurl (HTTP/2) contains a use-after-free vulnerability. If an application builds an HTTP/2 stream-dependency tree using CURLOPT_STREAM_DEPENDS/…_E, then calls curl_easy_reset() and later curl_easy_cleanup(), libcurl may access/modify an internal structure that was freed during reset. This is a ...
CVE-2026-4967
In IMS, this CVE-2026-4967 describes a possible out-of-bounds read caused by a missing bounds check, which could lead to remote denial of service without extra privileges. The NVD and CVE records confirm the issue and provide a CVSSv3.1 base score of 7.5 (HIGH) with network attack vector and no u...
CVE-2026-9626
The CVE-2026-9626 entry concerns the WordPress JSON API User plugin (
CVE-2026-9180
MotoPress Appointment Booking for WordPress (versions up to 2.4.4) is vulnerable to an Authorization Bypass via a user-controlled booking_id. The REST endpoint POST /motopress/appointment/v1/bookings is registered with a permissive permission_callback (return_true ), and createBooking() loads the...
CVE-2026-8892
CVE-2026-8892 affects the CM Business Directory plugin for WordPress (versions up to and including 1.5.7). The vulnerability is a Stored Cross-Site Scripting (XSS) via the Business Address Meta Fields, caused by insufficient input sanitization and output escaping. Authenticated attackers with con...
CVE-2026-11397
The CVE-2026-11397 entry concerns the WordPress plugin WP Import Export Lite (versions
CVE-2026-9725
The CVE-2026-9725 issue affects the Printcart Web to Print Product Designer for WooCommerce plugin for WordPress (versions