[
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-12064",
  "aliases": [
    "CVE-2026-12064"
  ],
  "summary": "proto-default skips SSH verification",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "tool",
    "URL": "https://curl.se/docs/CVE-2026-12064.json",
    "www": "https://curl.se/docs/CVE-2026-12064.html",
    "issue": "https://hackerone.com/reports/3797526",
    "CWE": {
      "id": "CWE-297",
      "desc": "Improper Validation of Certificate with Host Mismatch"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.81.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "18270893abdb19f0ca170c118f8a2847dbd304be"},
             {"fixed": "ab3bb8cd8be8f9d4acb97da0418abc279182041e"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", 
        "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", 
        "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", 
        "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "alienowo on hackerone (AntAISecurityLab)",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "When a user invokes curl using a schemeless URL combined with\n`--proto-default` sftp (or scp), a disconnect occurs between the tool layer\nand libcurl. The tool layer incorrectly infers the URL scheme, which\nerroneously bypasses the initialization of critical SSH security options like\nCURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the\nlibcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes\nthe connection via SFTP/SCP as specified. Because the tool layer skipped the\nsecurity configuration, these SSH host verification options are silently\nomitted, causing curl to connect to an unverified SSH remote host without\nthrowing an error."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-11856",
  "aliases": [
    "CVE-2026-11856"
  ],
  "summary": "cross-origin Digest auth state leak",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-11856.json",
    "www": "https://curl.se/docs/CVE-2026-11856.html",
    "issue": "https://hackerone.com/reports/3793260",
    "CWE": {
      "id": "CWE-294",
      "desc": "Authentication Bypass by Capture-replay"
    },
    "last_affected": "8.20.0",
    "severity": "Medium"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.10.6"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "334d78cd18a7310144383929bdcef34ffbf6159b"},
             {"fixed": "5c6b4880357ab3e72967c1c45cae0f96ffabc535"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", 
        "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", 
        "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", 
        "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", 
        "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", 
        "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", 
        "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", 
        "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", 
        "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", 
        "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", 
        "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", 
        "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", 
        "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", 
        "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", 
        "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", 
        "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", 
        "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", 
        "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", 
        "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", 
        "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", 
        "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", 
        "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", 
        "7.11.0", "7.10.8", "7.10.7", "7.10.6"
      ]
    }
  ],
  "credits": [
    {
      "name": "jjchuck on hackerone",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "Successfully using libcurl to do a transfer to a specific HTTP origin\n(`hostA`) with **Digest** authentication and then changing the origin to a\ndifferent one (`hostB`) for a second transfer, reusing the same handle, makes\nlibcurl wrongly pass on the `Authorization:` header field meant for `hostA`,\nto `hostB`."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-11586",
  "aliases": [
    "CVE-2026-11586"
  ],
  "summary": "WS Auto-PONG memory exhaustion",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-11586.json",
    "www": "https://curl.se/docs/CVE-2026-11586.html",
    "issue": "https://hackerone.com/reports/3788931",
    "CWE": {
      "id": "CWE-770",
      "desc": "Allocation of Resources Without Limits or Throttling"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.16.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "0b091328773c64e23f5c4739da74527093c6a5ab"},
             {"fixed": "849317ff5c5a5e13f50ec3d001e46ddffa77d8a4"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "evergarden1123 on hackerone (AntAISecurityLab)",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "By default, curl automatically responds to WebSocket PING frames. Because curl\nlacks an upper bound on memory allocation for unacknowledged frames, a\nmalicious server can exhaust all available memory by flooding curl with rapid,\nsequential PING messages."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-11564",
  "aliases": [
    "CVE-2026-11564"
  ],
  "summary": "Native CA trust persist",
  "modified": "2026-06-24T10:06:45.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-11564.json",
    "www": "https://curl.se/docs/CVE-2026-11564.html",
    "issue": "https://hackerone.com/reports/3788984",
    "CWE": {
      "id": "CWE-295",
      "desc": "Improper Certificate Validation"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.17.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "eefd03c572996e5de4dec4fe295ad6f103e0eefc"},
             {"fixed": "d69bfad3fa3daf5e72331f6870667607828d5891"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Filipe Casal of Trail of Bits in collaboration with OpenAI",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "libcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup.\n\nAn easy handle that first uses default native CA trust can continue trusting\nthe native platform store after the application switches that same handle to\ncustom CA material for a later transfer."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-11352",
  "aliases": [
    "CVE-2026-11352"
  ],
  "summary": "QUIC zero-length UDP datagrams busy-loop",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-11352.json",
    "www": "https://curl.se/docs/CVE-2026-11352.html",
    "issue": "https://hackerone.com/reports/3783438",
    "CWE": {
      "id": "CWE-835",
      "desc": "Loop with Unreachable Exit Condition ('Infinite Loop')"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.18.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "6a3d0b6d631d5e9bec797306b5b41a9f440a088d"},
             {"fixed": "56eca2afb4806f1032872fa97d1834b3c1385276"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "vectorqueue on hackerone (AntAISecurityLab)",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server\nto trigger a remote denial of service against a curl or libcurl client.\nBecause the helper function discards zero-length UDP datagrams before counting\nthem toward the per-call packet budget, a connected QUIC peer can continuously\nstream empty datagrams to indefinitely stall the client."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-10536",
  "aliases": [
    "CVE-2026-10536"
  ],
  "summary": "HTTP/2 stream-dependency tree UAF",
  "modified": "2026-06-24T15:14:27.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-10536.json",
    "www": "https://curl.se/docs/CVE-2026-10536.html",
    "issue": "https://hackerone.com/reports/3751697",
    "CWE": {
      "id": "CWE-416",
      "desc": "Use After Free"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.88.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "71b7e0161032927cdfb4e75ea40f65b8898b3956"},
             {"fixed": "bfbff7852f050232edd3e5ca5c6bf2021c340f5a"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", 
        "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", 
        "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Joshua Rogers (Aisle Research)",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "A use-after-free vulnerability exists in libcurl when an application\nconfigures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or\n`CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and\nfinally terminates the handle with `curl_easy_cleanup()`. During this final\ncleanup phase, libcurl attempts to access and modify an internal structure\nthat was already freed during the reset operation."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-9547",
  "aliases": [
    "CVE-2026-9547"
  ],
  "summary": "SSH improper host validation",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-9547.json",
    "www": "https://curl.se/docs/CVE-2026-9547.html",
    "issue": "https://hackerone.com/reports/3751712",
    "CWE": {
      "id": "CWE-297",
      "desc": "Improper Validation of Certificate with Host Mismatch"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.69.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "507cf6a13db0375eadd4655b4c64710db29e9cf2"},
             {"fixed": "0b8dbbc63c98777e4584cb9fbd71df3464008ad1"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", 
        "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", 
        "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", 
        "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", 
        "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", 
        "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", 
        "7.69.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Joshua Rogers (Aisle Research)",
      "type": "FINDER"
    },
    {
      "name": "Joshua Rogers (Aisle Research)",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://`\nand utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an\nuntrusted server. This vulnerability occurs when a server presents a host key\ntype that does not match the specific key type already recorded for that host\nin the `known_hosts` file. Instead of rejecting the mismatch, the callback\nmechanism fails to properly enforce the restriction, allowing the connection\nto succeed without warning and risking a potential man-in-the-middle attack."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-9546",
  "aliases": [
    "CVE-2026-9546"
  ],
  "summary": "sending old referer",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-9546.json",
    "www": "https://curl.se/docs/CVE-2026-9546.html",
    "issue": "https://hackerone.com/reports/3754343",
    "CWE": {
      "id": "CWE-200",
      "desc": "Exposure of Sensitive Information to an Unauthorized Actor"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.18.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "2cb868242dc2ac9cd52ee64987ef51d5964a56f9"},
             {"fixed": "862e8a74a84478d82973471b4f49dc2746c1780e"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "renjian on hackerone",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "A vulnerability in libcurl caused the HTTP `Referer:` header to persist even\nwhen explicitly cleared. While the documentation states that passing NULL to\n`CURLOPT_REFERER` suppresses the header, the option failed to clear the\ninternal state. As a result, the previous referrer string was erroneously\nreused and sent in subsequent requests, potentially leaking sensitive\ninformation to unintended servers."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-9545",
  "aliases": [
    "CVE-2026-9545"
  ],
  "summary": "exposing HTTP/3 early data",
  "modified": "2026-06-24T09:10:24.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-9545.json",
    "www": "https://curl.se/docs/CVE-2026-9545.html",
    "issue": "https://hackerone.com/reports/3752888",
    "CWE": {
      "id": "CWE-200",
      "desc": "Exposure of Sensitive Information to an Unauthorized Actor"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.11.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "962097b8dd44ed5b9e7984bc1cdffdbdd566857f"},
             {"fixed": "7b9613fa9b1a5e04301a3920eef58e8138dad05e"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Eunsoo Kim (Autonomous Code Security team at Microsoft)",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "In this scenario, libcurl first uses a proper HTTP/3 server for the initial\ntransfers, and when it makes a second transfer to the same site it has been\nreplaced by the attacker's impostor machine - without a valid certificate.\n\nWhen libcurl returns to the hostname the second time with a cached SSL session\n(`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the\n`CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might\nsend off the second request's bytes on that new connection *before* enforcing\nthe certificate verification failure. Potentially leaking sensitive\ninformation."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-9080",
  "aliases": [
    "CVE-2026-9080"
  ],
  "summary": "UAF after pause in socket callback",
  "modified": "2026-06-24T15:14:27.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-9080.json",
    "www": "https://curl.se/docs/CVE-2026-9080.html",
    "issue": "https://hackerone.com/reports/3749204",
    "CWE": {
      "id": "CWE-416",
      "desc": "Use After Free"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.13.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "cfc657a48dbafb4194676d4c9d841388b3a22210"},
             {"fixed": "5ab34cba42e4ee4282fe8bab43f311d51b9bf9bd"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Joshua Rogers (Aisle Research)",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION`\ncallback triggers a use-after-free vulnerability, where libcurl attempts to\nstore a flag using a dangling struct pointer immediately after that pointer's\nmemory has been freed."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-9079",
  "aliases": [
    "CVE-2026-9079"
  ],
  "summary": "stale proxy password leak",
  "modified": "2026-06-24T10:06:45.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-9079.json",
    "www": "https://curl.se/docs/CVE-2026-9079.html",
    "issue": "https://hackerone.com/reports/3750295",
    "CWE": {
      "id": "CWE-522",
      "desc": "Insufficiently Protected Credentials"
    },
    "last_affected": "8.20.0",
    "severity": "Medium"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.8.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "d5e83eb745762f48d8fafadc5df5dd3ae8d8941e"},
             {"fixed": "88c7e16cceec816a2df45c899d49b1e85513f193"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Guancheng Li",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "libcurl had a flaw that when instructed to clear proxy authentication\ncredentials which made it not do so, leaving the old credentials around to get\nused for subsequent transfers that should not know nor use them."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-8932",
  "aliases": [
    "CVE-2026-8932"
  ],
  "summary": "incomplete mTLS config matching in conn reuse",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-8932.json",
    "www": "https://curl.se/docs/CVE-2026-8932.html",
    "issue": "https://hackerone.com/reports/3733910",
    "CWE": {
      "id": "CWE-305",
      "desc": "Authentication Bypass by Primary Weakness"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.7"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"},
             {"fixed": "7541ae569d82fb308a5e2d94916027da4fa3ba3e"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", 
        "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", 
        "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", 
        "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", 
        "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", 
        "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", 
        "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", 
        "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", 
        "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", 
        "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", 
        "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", 
        "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", 
        "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", 
        "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", 
        "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", 
        "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", 
        "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", 
        "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", 
        "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", 
        "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", 
        "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", 
        "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", 
        "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", 
        "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", 
        "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", 
        "7.7.3", "7.7.2", "7.7.1", "7.7"
      ]
    }
  ],
  "credits": [
    {
      "name": "Joshua Rogers (Aisle Research)",
      "type": "FINDER"
    },
    {
      "name": "Joshua Rogers (Aisle Research)",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "libcurl would reuse a previously created connection even when some mTLS config\nrelated option had been changed that should have prohibited reuse.\n\nlibcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup. However, some TLS\nsettings related to client certificates were left out from the configuration\nmatch checks, making them match too easily. In particular options related to\nthe private key."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-8927",
  "aliases": [
    "CVE-2026-8927"
  ],
  "summary": "env-set cross-proxy Digest auth state leak",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-8927.json",
    "www": "https://curl.se/docs/CVE-2026-8927.html",
    "issue": "https://hackerone.com/reports/3744543",
    "CWE": {
      "id": "CWE-294",
      "desc": "Authentication Bypass by Capture-replay"
    },
    "last_affected": "8.20.0",
    "severity": "Medium"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.12.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "fc6eff13b5414caf6edf22d73a3239e074a04216"},
             {"fixed": "5c225384b8d52c67ce8259c6e4203bc57aacb567"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", 
        "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", 
        "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", 
        "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", 
        "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", 
        "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", 
        "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", 
        "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", 
        "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", 
        "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", 
        "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", 
        "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", 
        "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", 
        "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", 
        "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", 
        "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", 
        "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", 
        "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", 
        "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", 
        "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", 
        "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", 
        "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Ady Elouej",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "When reusing a libcurl handle for sequential transfers driven by\nenvironment-variable proxy configuration, libcurl fails to clear the proxy\nauthentication state between requests. Specifically, if the initial transfer\nauthenticates against `proxyA` using Digest auth, a subsequent transfer routed\nthrough `proxyB` erroneously leaks the `Proxy-Authorization:` header intended\nsolely for `proxyA`."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-8926",
  "aliases": [
    "CVE-2026-8926"
  ],
  "summary": "password leak with netrc and user in URL",
  "modified": "2026-06-24T09:04:05.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-8926.json",
    "www": "https://curl.se/docs/CVE-2026-8926.html",
    "issue": "https://hackerone.com/reports/3735184",
    "CWE": {
      "id": "CWE-522",
      "desc": "Insufficiently Protected Credentials"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.11.1"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "e9b9bbac22c26cf67316fa8e6c6b9e831af31949"},
             {"fixed": "4ae1d7cc2643e4773a136395f12bc02fc6867854"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1"
      ]
    }
  ],
  "credits": [
    {
      "name": "Joshua Rogers (Aisle Research)",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "When asking curl to use a `.netrc` file to find credentials and at the same\ntime specifying a URL with a username (without a password), like\n`https://user@example.com/`, curl could wrongly get and use the password for\n*another* user set in the `.netrc` file for that host if such a one exists and\nthere is no match for the specified user."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-8925",
  "aliases": [
    "CVE-2026-8925"
  ],
  "summary": "SASL double-free",
  "modified": "2026-06-24T10:06:45.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-8925.json",
    "www": "https://curl.se/docs/CVE-2026-8925.html",
    "issue": "https://hackerone.com/reports/3735193",
    "CWE": {
      "id": "CWE-415",
      "desc": "Double Free"
    },
    "last_affected": "8.20.0",
    "severity": "Medium"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.15.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "ab650379a8c25ca952f651476d25b4cdd77bb3fc"},
             {"fixed": "3da249e1f0716c06644ed3522a37a8bf81808012"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Joshua Rogers (Aisle Research)",
      "type": "FINDER"
    },
    {
      "name": "Viktor Szakats",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "The curl logic that works with SASL authentication could end up cleaning up\nthe GSASL context *twice* without clearing the pointer in between, making it\n`free()` the same pointer twice."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-8924",
  "aliases": [
    "CVE-2026-8924"
  ],
  "summary": "trailing dot domain super cookie",
  "modified": "2026-06-24T10:06:45.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-8924.json",
    "www": "https://curl.se/docs/CVE-2026-8924.html",
    "issue": "https://hackerone.com/reports/3733905",
    "CWE": {
      "id": "CWE-201",
      "desc": "Information Exposure Through Sent Data"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.46.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "e77b5b7453c1e8ccd7ec0816890d98e2f392e465"},
             {"fixed": "51beed175dbfc37da3113f6acce60c630c070ce8"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", 
        "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", 
        "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", 
        "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", 
        "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", 
        "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", 
        "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", 
        "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", 
        "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", 
        "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", 
        "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", 
        "7.48.0", "7.47.1", "7.47.0", "7.46.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "vegagent on hackerone",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set\n\"super cookies\" that bypass the Public Suffix List check. This enables an\nattacker-controlled origin to inject cookies that curl subsequently scopes and\ntransmits to unrelated third-party domains."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-8458",
  "aliases": [
    "CVE-2026-8458"
  ],
  "summary": "wrong reuse for different services",
  "modified": "2026-06-24T10:06:45.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-8458.json",
    "www": "https://curl.se/docs/CVE-2026-8458.html",
    "issue": "https://hackerone.com/reports/3721183",
    "CWE": {
      "id": "CWE-488",
      "desc": "Exposure of Data Element to Wrong Session"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.43.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "97c272e5d173ad5f706443e2477f0a84f0044edd"},
             {"fixed": "5e99b73cf441d9c369768b9cd48b5389b9a2503d"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", 
        "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", 
        "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", 
        "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", 
        "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", 
        "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", 
        "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", 
        "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", 
        "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", 
        "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", 
        "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", 
        "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Muhamad Arga Reksapati",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "libcurl might in some circumstances reuse the wrong connection when asked to\ndo Negotiate-authenticated ones, even when they are set to use different\n\"services\".\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criteria must be met. Due to a logical\nerror in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different services."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-8286",
  "aliases": [
    "CVE-2026-8286"
  ],
  "summary": "wrong STARTTLS connection reuse",
  "modified": "2026-06-24T09:04:05.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-8286.json",
    "www": "https://curl.se/docs/CVE-2026-8286.html",
    "issue": "https://hackerone.com/reports/3718195",
    "CWE": {
      "id": "CWE-295",
      "desc": "Improper Certificate Validation"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.30.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "a1701eea289fe7ea80651f801cf992838a491dde"},
             {"fixed": "a86efdd7ca5433de9231e650f18247de8319ad16"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", 
        "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", 
        "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", 
        "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", 
        "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", 
        "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", 
        "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", 
        "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", 
        "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", 
        "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", 
        "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", 
        "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", 
        "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", 
        "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", 
        "7.30.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Andrew Nesbitt (powered by Mythos)",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the\nconnection might reuse an existing live connection even though the TLS\nconfiguration mismatches so it should not."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-7168",
  "aliases": [
    "CVE-2026-7168"
  ],
  "summary": "cross-proxy Digest auth state leak",
  "modified": "2026-04-29T07:48:41.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-7168.json",
    "www": "https://curl.se/docs/CVE-2026-7168.html",
    "issue": "https://hackerone.com/reports/3697719",
    "CWE": {
      "id": "CWE-294",
      "desc": "Authentication Bypass by Capture-replay"
    },
    "last_affected": "8.19.0",
    "severity": "Medium"
  },
  "published": "2026-04-29T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.12.0"},
             {"fixed": "8.20.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "fc6eff13b5414caf6edf22d73a3239e074a04216"},
             {"fixed": "c1cfdf59acbaf9504c4578d4cf56cdd7c8594507"}
           ]
        }
      ],
      "versions": [
        "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", 
        "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", 
        "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", 
        "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", 
        "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", 
        "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", 
        "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", 
        "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", 
        "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", 
        "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", 
        "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", 
        "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", 
        "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", 
        "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", 
        "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", 
        "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", 
        "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", 
        "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", 
        "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", 
        "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", 
        "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", 
        "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", 
        "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", 
        "7.12.3", "7.12.2", "7.12.1", "7.12.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Muhamad Arga Reksapati",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "Successfully using libcurl to do a transfer over a specific HTTP proxy\n(`proxyA`) with **Digest** authentication and then changing the proxy host to\na second one (`proxyB`) for a second transfer, reusing the same handle, makes\nlibcurl wrongly pass on the `Proxy-Authorization:` header field meant for\n`proxyA`, to `proxyB`."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-7009",
  "aliases": [
    "CVE-2026-7009"
  ],
  "summary": "OCSP stapling bypass with Apple SecTrust",
  "modified": "2026-04-29T09:56:23.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-7009.json",
    "www": "https://curl.se/docs/CVE-2026-7009.html",
    "issue": "https://hackerone.com/reports/3694390",
    "CWE": {
      "id": "CWE-295",
      "desc": "Improper Certificate Validation"
    },
    "last_affected": "8.19.0",
    "severity": "Medium"
  },
  "published": "2026-04-29T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.17.0"},
             {"fixed": "8.20.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "eefd03c572996e5de4dec4fe295ad6f103e0eefc"},
             {"fixed": "51905671e07f087e28e5741063646c379fe17d89"}
           ]
        }
      ],
      "versions": [
        "8.19.0", "8.18.0", "8.17.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Carlos Carrillo",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "When curl is told to use the Certificate Status Request TLS extension, often\nreferred to as *OCSP stapling*, to verify that the server certificate is\nvalid, it fails to detect OCSP problems and instead wrongly consider the\nresponse as fine."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-6429",
  "aliases": [
    "CVE-2026-6429"
  ],
  "summary": "netrc credential leak with reused proxy connection",
  "modified": "2026-04-29T07:48:41.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-6429.json",
    "www": "https://curl.se/docs/CVE-2026-6429.html",
    "issue": "https://hackerone.com/reports/3677759",
    "CWE": {
      "id": "CWE-200",
      "desc": "Exposure of Sensitive Information to an Unauthorized Actor"
    },
    "last_affected": "8.19.0",
    "severity": "Medium"
  },
  "published": "2026-04-29T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.14.0"},
             {"fixed": "8.20.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "01165e08e0d131b399fba2190f17af67e66f0888"},
             {"fixed": "b4024bf808bd558026fdc6096e8457f199ace306"}
           ]
        }
      ],
      "versions": [
        "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", 
        "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", 
        "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", 
        "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", 
        "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", 
        "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", 
        "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", 
        "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", 
        "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", 
        "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", 
        "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", 
        "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", 
        "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", 
        "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", 
        "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", 
        "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", 
        "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", 
        "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", 
        "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", 
        "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", 
        "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", 
        "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", 
        "7.15.1", "7.15.0", "7.14.1", "7.14.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Muhamad Arga Reksapati",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, libcurl could leak the password used for the first host to the\nfollowed-to host under certain circumstances."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-6276",
  "aliases": [
    "CVE-2026-6276"
  ],
  "summary": "stale custom cookie host causes cookie leak",
  "modified": "2026-04-29T09:56:23.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-6276.json",
    "www": "https://curl.se/docs/CVE-2026-6276.html",
    "issue": "https://hackerone.com/reports/3671818",
    "CWE": {
      "id": "CWE-346",
      "desc": "Origin Validation Error"
    },
    "last_affected": "8.19.0",
    "severity": "Low"
  },
  "published": "2026-04-29T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.71.0"},
             {"fixed": "8.20.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "e15e51384a423be31318b3c9c7d612a1aae661fd"},
             {"fixed": "3a19987a87f393d9394fe5acc7643f6c263c92db"}
           ]
        }
      ],
      "versions": [
        "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", 
        "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", 
        "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", 
        "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", 
        "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", 
        "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", 
        "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", 
        "7.73.0", "7.72.0", "7.71.1", "7.71.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Muhamad Arga Reksapati",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "Using libcurl, when a custom `Host:` header is first set for an HTTP request\nand a second request is subsequently done using the same *easy handle* but\nwithout the custom `Host:` header set, the second request would use stale\ninformation and pass on cookies meant for the first host in the second\nrequest. Leak them."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-6253",
  "aliases": [
    "CVE-2026-6253"
  ],
  "summary": "proxy credentials leak over redirect-to proxy",
  "modified": "2026-04-29T13:41:22.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-6253.json",
    "www": "https://curl.se/docs/CVE-2026-6253.html",
    "issue": "https://hackerone.com/reports/3669637",
    "CWE": {
      "id": "CWE-522",
      "desc": "Insufficiently Protected Credentials"
    },
    "last_affected": "8.19.0",
    "severity": "Medium"
  },
  "published": "2026-04-29T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.14.1"},
             {"fixed": "8.20.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "3b60bb725913ce7339aefef0a14b12df4c24db60"},
             {"fixed": "188c2f166a20fa97c2325b2da7d0e5cecc13725f"}
           ]
        }
      ],
      "versions": [
        "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", 
        "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", 
        "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", 
        "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", 
        "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", 
        "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", 
        "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", 
        "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", 
        "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", 
        "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", 
        "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", 
        "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", 
        "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", 
        "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", 
        "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", 
        "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", 
        "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", 
        "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", 
        "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", 
        "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", 
        "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", 
        "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", 
        "7.15.1", "7.15.0", "7.14.1"
      ]
    }
  ],
  "credits": [
    {
      "name": "Dwij Mehta (O2 Lab",
      "type": "FINDER"
    },
    {
      "name": "Texas A&M University)",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "curl might erroneously pass on credentials for a first proxy to a second\nproxy.\n\nThis can happen when the following conditions are true:\n\n1. curl is setup to use specific different proxies for different URL schemes\n2. the first proxy needs credentials\n3. the second proxy uses no credentials\n4. while using the first proxy (using say `http://`), curl is asked to follow\n   a redirect to a URL using another scheme (say `https://`), accessed using a\n   second, different, proxy"
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-5773",
  "aliases": [
    "CVE-2026-5773"
  ],
  "summary": "wrong reuse of SMB connection",
  "modified": "2026-05-19T11:21:50.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-5773.json",
    "www": "https://curl.se/docs/CVE-2026-5773.html",
    "issue": "https://hackerone.com/reports/3650689",
    "CWE": {
      "id": "CWE-488",
      "desc": "Exposure of Data Element to Wrong Session"
    },
    "last_affected": "8.19.0",
    "severity": "Low"
  },
  "published": "2026-04-29T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.40.0"},
             {"fixed": "8.20.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "aec2e865f06669b9cb5d26cc1148d70bc418b163"},
             {"fixed": "74a169575d6412dc0ff532acdf94de35a6c2a571"}
           ]
        }
      ],
      "versions": [
        "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", 
        "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", 
        "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", 
        "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", 
        "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", 
        "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", 
        "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", 
        "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", 
        "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", 
        "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", 
        "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", 
        "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", 
        "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", 
        "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", 
        "7.42.0", "7.41.0", "7.40.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Osama Hamad",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "libcurl might in some circumstances reuse the wrong connection for SMB(S)\ntransfers.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criteria must be met. Due to a logical\nerror in the code, a network transfer operation that was requested by an\napplication could wrongfully reuse an existing SMB connection to the same\nserver that was using a different \"share\" than the new subsequent transfer\nshould.\n\nThis could in unlucky situations lead to the download of the wrong file or the\nupload of a file to the wrong place. When this happens, the same credentials\nare used and the server name is the same."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-5545",
  "aliases": [
    "CVE-2026-5545"
  ],
  "summary": "wrong reuse of HTTP Negotiate connection",
  "modified": "2026-04-29T07:48:41.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-5545.json",
    "www": "https://curl.se/docs/CVE-2026-5545.html",
    "issue": "https://hackerone.com/reports/3642555",
    "CWE": {
      "id": "CWE-305",
      "desc": "Authentication Bypass by Primary Weakness"
    },
    "last_affected": "8.19.0",
    "severity": "Medium"
  },
  "published": "2026-04-29T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.10.6"},
             {"fixed": "8.20.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "e56ae1426cb7a0a4a427cf8d6099a821fdaae428"},
             {"fixed": "33e43985b8f3b9e66691d06e70be0395849856cd"}
           ]
        }
      ],
      "versions": [
        "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", 
        "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", 
        "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", 
        "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", 
        "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", 
        "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", 
        "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", 
        "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", 
        "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", 
        "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", 
        "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", 
        "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", 
        "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", 
        "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", 
        "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", 
        "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", 
        "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", 
        "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", 
        "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", 
        "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", 
        "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", 
        "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", 
        "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", 
        "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", 
        "7.10.8", "7.10.7", "7.10.6"
      ]
    }
  ],
  "credits": [
    {
      "name": "Quac Tran and Ngoc Hieu",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "libcurl might in some circumstances reuse the wrong connection when asked to\ndo an authenticated HTTP(S) request after a Negotiate-authenticated one, when\nboth use the same host.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criteria must be met. Due to a logical\nerror in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials.\n\nAn application that first uses Negotiate authentication to a server with\n`user1:password1` and then does another operation to the same server asking\nfor any authentication method but for `user2:password2` (while the previous\nconnection is still alive) - the second request gets confused and wrongly\nreuses the same connection and sends the new request over that connection\nthinking it uses a mix of user1's and user2's credentials when it is in fact\nstill using the connection authenticated for user1..."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-4873",
  "aliases": [
    "CVE-2026-4873"
  ],
  "summary": "connection reuse ignores TLS requirement",
  "modified": "2026-04-29T09:56:23.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-4873.json",
    "www": "https://curl.se/docs/CVE-2026-4873.html",
    "issue": "https://hackerone.com/reports/3621851",
    "CWE": {
      "id": "CWE-319",
      "desc": "Cleartext Transmission of Sensitive Information"
    },
    "last_affected": "8.19.0",
    "severity": "Low"
  },
  "published": "2026-04-29T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.20.0"},
             {"fixed": "8.20.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "ec3bb8f727405642a471b4b1b9eb0118fc003104"},
             {"fixed": "507e7be573b0a76fca597b75ff7cb27a66e7d865"}
           ]
        }
      ],
      "versions": [
        "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", 
        "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", 
        "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", 
        "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", 
        "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", 
        "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", 
        "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", 
        "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", 
        "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", 
        "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", 
        "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", 
        "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", 
        "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", 
        "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", 
        "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", 
        "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", 
        "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", 
        "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", 
        "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Arkadi Vainbrand",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "A vulnerability exists where a connection requiring TLS incorrectly reuses an\nexisting unencrypted connection from the same connection pool. If an initial\ntransfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request\nto that same host bypasses the TLS requirement and instead transmit data\nunencrypted."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-3805",
  "aliases": [
    "CVE-2026-3805"
  ],
  "summary": "use after free in SMB connection reuse",
  "modified": "2026-05-19T11:21:50.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-3805.json",
    "www": "https://curl.se/docs/CVE-2026-3805.html",
    "issue": "https://hackerone.com/reports/3591944",
    "CWE": {
      "id": "CWE-416",
      "desc": "Use After Free"
    },
    "last_affected": "8.18.0",
    "severity": "Medium"
  },
  "published": "2026-03-11T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.13.0"},
             {"fixed": "8.19.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "f4831daa9b2a97e8a2921d6b62cc4dfdd0d8646e"},
             {"fixed": "e090be9f73a7a71459ef678c7cc4b1f75e3ea883"}
           ]
        }
      ],
      "versions": [
        "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Daniel Wade",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "When doing a second SMB request to the same host again, curl would wrongly use\na data pointer pointing into already freed memory."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-3784",
  "aliases": [
    "CVE-2026-3784"
  ],
  "summary": "wrong proxy connection reuse with credentials",
  "modified": "2026-04-25T17:48:46.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-3784.json",
    "www": "https://curl.se/docs/CVE-2026-3784.html",
    "issue": "https://hackerone.com/reports/3584903",
    "CWE": {
      "id": "CWE-305",
      "desc": "Authentication Bypass by Primary Weakness"
    },
    "last_affected": "8.18.0",
    "severity": "Low"
  },
  "published": "2026-03-11T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.7"},
             {"fixed": "8.19.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"},
             {"fixed": "5f13a7645e565c5c1a06f3ef86e97afb856fb364"}
           ]
        }
      ],
      "versions": [
        "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", 
        "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", 
        "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", 
        "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", 
        "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", 
        "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", 
        "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", 
        "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", 
        "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", 
        "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", 
        "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", 
        "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", 
        "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", 
        "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", 
        "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", 
        "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", 
        "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", 
        "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", 
        "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", 
        "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", 
        "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", 
        "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", 
        "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", 
        "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", 
        "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", 
        "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", 
        "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", 
        "7.7.1", "7.7"
      ]
    }
  ],
  "credits": [
    {
      "name": "Muhamad Arga Reksapati (HackerOne: nobcoder)",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a\nserver, even if the new request uses different credentials for the HTTP proxy.\nThe proper behavior is to create or use a separate connection."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-3783",
  "aliases": [
    "CVE-2026-3783"
  ],
  "summary": "token leak with redirect and netrc",
  "modified": "2026-04-25T17:48:46.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-3783.json",
    "www": "https://curl.se/docs/CVE-2026-3783.html",
    "issue": "https://hackerone.com/reports/3583983",
    "CWE": {
      "id": "CWE-522",
      "desc": "Insufficiently Protected Credentials"
    },
    "last_affected": "8.18.0",
    "severity": "Medium"
  },
  "published": "2026-03-11T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.33.0"},
             {"fixed": "8.19.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "06c1bea72faabb6fad4b7ef818aafaa336c9a7aa"},
             {"fixed": "e3d7401a32a46516c9e5ee877e613e62ed35bddc"}
           ]
        }
      ],
      "versions": [
        "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", 
        "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", 
        "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", 
        "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", 
        "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", 
        "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", 
        "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", 
        "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", 
        "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", 
        "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", 
        "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", 
        "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", 
        "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", 
        "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", 
        "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", 
        "7.35.0", "7.34.0", "7.33.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "spectreglobalsec on hackerone",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a redirect to a second URL, curl could leak that token to the second\nhostname under some circumstances.\n\nIf the hostname that the first request is redirected to has information in the\nused .netrc file, with either of the `machine` or `default` keywords, curl\nwould pass on the bearer token set for the first host also to the second one."
},
{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-1965",
  "aliases": [
    "CVE-2026-1965"
  ],
  "summary": "bad reuse of HTTP Negotiate connection",
  "modified": "2026-05-19T11:21:50.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-1965.json",
    "www": "https://curl.se/docs/CVE-2026-1965.html",
    "CWE": {
      "id": "CWE-305",
      "desc": "Authentication Bypass by Primary Weakness"
    },
    "last_affected": "8.18.0",
    "severity": "Medium"
  },
  "published": "2026-03-11T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.10.6"},
             {"fixed": "8.19.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "e56ae1426cb7a0a4a427cf8d6099a821fdaae428"},
             {"fixed": "f1a39f221d57354990e3eeeddc3404aede2aff70"}
           ]
        }
      ],
      "versions": [
        "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", 
        "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", 
        "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", 
        "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", 
        "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", 
        "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", 
        "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", 
        "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", 
        "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", 
        "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", 
        "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", 
        "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", 
        "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", 
        "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", 
        "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", 
        "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", 
        "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", 
        "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", 
        "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", 
        "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", 
        "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", 
        "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", 
        "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", 
        "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", 
        "7.10.7", "7.10.6"
      ]
    }
  ],
  "credits": [
    {
      "name": "Zhicheng Chen",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "libcurl can in some circumstances reuse the wrong connection when asked to do\nan Negotiate-authenticated HTTP or HTTPS request.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to a\nlogical error in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. One underlying reason being that\nNegotiate sometimes authenticates *connections* and not *requests*, contrary\nto how HTTP is designed to work.\n\nAn application that allows Negotiate authentication to a server (that responds\nwanting Negotiate) with `user1:password1` and then does another operation to\nthe same server also using Negotiate but with `user2:password2` (while the\nprevious connection is still alive) - the second request wrongly reused the\nsame connection and since it then sees that the Negotiate negotiation is\nalready made, it sends the request over that connection thinking it uses\nthe user2 credentials when it is in fact still using the connection\nauthenticated for user1...\n\nThe set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.\n\nApplications can disable libcurl's reuse of connections and thus mitigate this\nproblem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API)."
}]
