curl / Docs / Vulnerability table / 8.20.0 vulnerabilities

Vulnerabilities in curl 8.20.0

curl version 8.20.0 was released on April 29 2026

It has the following 18 published security problems.

SFlawFirstLast
LCVE-2026-12064: proto-default skips SSH verification7.81.08.20.0
MCVE-2026-11856: cross-origin Digest auth state leak7.10.68.20.0
LCVE-2026-11586: WS Auto-PONG memory exhaustion8.16.08.20.0
LCVE-2026-11564: Native CA trust persist8.17.08.20.0
LCVE-2026-11352: QUIC zero-length UDP datagrams busy-loop8.18.08.20.0
LCVE-2026-10536: HTTP/2 stream-dependency tree UAF7.88.08.20.0
LCVE-2026-9547: SSH improper host validation7.69.08.20.0
LCVE-2026-9546: sending old referer8.18.08.20.0
LCVE-2026-9545: exposing HTTP/3 early data8.11.08.20.0
LCVE-2026-9080: UAF after pause in socket callback8.13.08.20.0
MCVE-2026-9079: stale proxy password leak8.8.08.20.0
LCVE-2026-8932: incomplete mTLS config matching in conn reuse7.78.20.0
MCVE-2026-8927: env-set cross-proxy Digest auth state leak7.12.08.20.0
LCVE-2026-8926: password leak with netrc and user in URL8.11.18.20.0
MCVE-2026-8925: SASL double-free8.15.08.20.0
LCVE-2026-8924: trailing dot domain super cookie7.46.08.20.0
LCVE-2026-8458: wrong reuse for different services7.43.08.20.0
LCVE-2026-8286: wrong STARTTLS connection reuse7.30.08.20.0

Further details

CVE data for 8.20.0 provided as JSON.

Changelog for curl 8.20.0

See vulnerability summary for the previous release: 8.19.0 or the subsequent release: 8.21.0