Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/137976?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/137976?format=api", "purl": "pkg:generic/curl.se/curl@8.16.0", "type": "generic", "namespace": "curl.se", "name": "curl", "version": "8.16.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "8.20.0", "latest_non_vulnerable_version": "8.20.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65730?format=api", "vulnerability_id": "VCID-21ff-tazv-9ud3", "summary": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14524.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14524.json" }, { "reference_url": "https://curl.se/docs/CVE-2025-14524.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2025-14524.html" }, { "reference_url": "https://hackerone.com/reports/3459417", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3459417" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426407", "reference_id": "2426407", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426407" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137978?format=api", "purl": "pkg:generic/curl.se/curl@8.18.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-39qh-jayw-g3dh" }, { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-fxgf-t3ue-6qhf" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-hhms-2hg6-nke9" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" }, { "vulnerability": "VCID-y44u-23he-aya8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.18.0" } ], "aliases": [ "CVE-2025-14524" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-21ff-tazv-9ud3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65106?format=api", "vulnerability_id": "VCID-39qh-jayw-g3dh", "summary": "curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1965.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1965.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-1965.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-1965.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446448", "reference_id": "2446448", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446448" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137979?format=api", "purl": "pkg:generic/curl.se/curl@8.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.19.0" } ], "aliases": [ "CVE-2026-1965" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "6.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-39qh-jayw-g3dh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61672?format=api", "vulnerability_id": "VCID-5un8-xymy-37bt", "summary": "curl: libcurl: Wrong file transfer due to incorrect SMB connection reuse", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-5773.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-5773.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-5773.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-5773.html" }, { "reference_url": "https://hackerone.com/reports/3650689", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3650689" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461201", "reference_id": "2461201", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461201" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:12916", "reference_id": "RHSA-2026:12916", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:12916" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137980?format=api", "purl": "pkg:generic/curl.se/curl@8.20.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.20.0" } ], "aliases": [ "CVE-2026-5773" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5un8-xymy-37bt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65729?format=api", "vulnerability_id": "VCID-7wqd-99h2-e7hk", "summary": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14017.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14017.json" }, { "reference_url": "https://curl.se/docs/CVE-2025-14017.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2025-14017.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427870", "reference_id": "2427870", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427870" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137978?format=api", "purl": "pkg:generic/curl.se/curl@8.18.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-39qh-jayw-g3dh" }, { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-fxgf-t3ue-6qhf" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-hhms-2hg6-nke9" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" }, { "vulnerability": "VCID-y44u-23he-aya8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.18.0" } ], "aliases": [ "CVE-2025-14017" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7wqd-99h2-e7hk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/60252?format=api", "vulnerability_id": "VCID-bcuq-n4vb-k7f3", "summary": "curl: libcurl: Information disclosure via incorrect Proxy-Authorization header reuse", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-7168.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-7168.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-7168.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-7168.html" }, { "reference_url": "https://hackerone.com/reports/3697719", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3697719" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476979", "reference_id": "2476979", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476979" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:19106", "reference_id": "RHSA-2026:19106", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:19106" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137980?format=api", "purl": "pkg:generic/curl.se/curl@8.20.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.20.0" } ], "aliases": [ "CVE-2026-7168" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bcuq-n4vb-k7f3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61679?format=api", "vulnerability_id": "VCID-f9nm-d5ax-qkcb", "summary": "curl: libcurl: Credential leak via reused proxy connection during HTTP redirects", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6429.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6429.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-6429.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-6429.html" }, { "reference_url": "https://hackerone.com/reports/3677759", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3677759" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461205", "reference_id": "2461205", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461205" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:12916", "reference_id": "RHSA-2026:12916", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:12916" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137980?format=api", "purl": "pkg:generic/curl.se/curl@8.20.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.20.0" } ], "aliases": [ "CVE-2026-6429" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f9nm-d5ax-qkcb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65735?format=api", "vulnerability_id": "VCID-fcb7-8163-muf4", "summary": "When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-15224.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-15224.json" }, { "reference_url": "https://curl.se/docs/CVE-2025-15224.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2025-15224.html" }, { "reference_url": "https://hackerone.com/reports/3480925", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3480925" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426410", "reference_id": "2426410", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426410" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137978?format=api", "purl": "pkg:generic/curl.se/curl@8.18.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-39qh-jayw-g3dh" }, { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-fxgf-t3ue-6qhf" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-hhms-2hg6-nke9" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" }, { "vulnerability": "VCID-y44u-23he-aya8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.18.0" } ], "aliases": [ "CVE-2025-15224" ], "risk_score": 2.1, "exploitability": "0.5", "weighted_severity": "4.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fcb7-8163-muf4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65101?format=api", "vulnerability_id": "VCID-fxgf-t3ue-6qhf", "summary": "curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3805.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3805.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-3805.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-3805.html" }, { "reference_url": "https://hackerone.com/reports/3591944", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3591944" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446451", "reference_id": "2446451", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446451" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137979?format=api", "purl": "pkg:generic/curl.se/curl@8.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.19.0" } ], "aliases": [ "CVE-2026-3805" ], "risk_score": 2.9, "exploitability": "0.5", "weighted_severity": "5.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fxgf-t3ue-6qhf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61678?format=api", "vulnerability_id": "VCID-g7ux-4vz2-ckfg", "summary": "curl: libcurl: Authentication bypass due to incorrect HTTP Negotiate connection reuse", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-5545.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-5545.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-5545.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-5545.html" }, { "reference_url": "https://hackerone.com/reports/3642555", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3642555" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461204", "reference_id": "2461204", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461204" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:12916", "reference_id": "RHSA-2026:12916", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:12916" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137980?format=api", "purl": "pkg:generic/curl.se/curl@8.20.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.20.0" } ], "aliases": [ "CVE-2026-5545" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g7ux-4vz2-ckfg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65731?format=api", "vulnerability_id": "VCID-gux4-dncg-h7a6", "summary": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14819.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14819.json" }, { "reference_url": "https://curl.se/docs/CVE-2025-14819.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2025-14819.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426408", "reference_id": "2426408", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426408" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137978?format=api", "purl": "pkg:generic/curl.se/curl@8.18.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-39qh-jayw-g3dh" }, { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-fxgf-t3ue-6qhf" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-hhms-2hg6-nke9" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" }, { "vulnerability": "VCID-y44u-23he-aya8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.18.0" } ], "aliases": [ "CVE-2025-14819" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "6.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gux4-dncg-h7a6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65105?format=api", "vulnerability_id": "VCID-hhms-2hg6-nke9", "summary": "curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3783.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3783.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-3783.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-3783.html" }, { "reference_url": "https://hackerone.com/reports/3583983", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3583983" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446450", "reference_id": "2446450", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446450" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137979?format=api", "purl": "pkg:generic/curl.se/curl@8.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.19.0" } ], "aliases": [ "CVE-2026-3783" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "5.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hhms-2hg6-nke9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65726?format=api", "vulnerability_id": "VCID-p155-gbtu-abg1", "summary": "curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-10966.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-10966.json" }, { "reference_url": "https://curl.se/docs/CVE-2025-10966.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2025-10966.html" }, { "reference_url": "https://hackerone.com/reports/3355218", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3355218" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413308", "reference_id": "2413308", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413308" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137977?format=api", "purl": "pkg:generic/curl.se/curl@8.17.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-21ff-tazv-9ud3" }, { "vulnerability": "VCID-39qh-jayw-g3dh" }, { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-7wqd-99h2-e7hk" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-fcb7-8163-muf4" }, { "vulnerability": "VCID-fxgf-t3ue-6qhf" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-gux4-dncg-h7a6" }, { "vulnerability": "VCID-hhms-2hg6-nke9" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-t45k-skv6-cfg2" }, { "vulnerability": "VCID-v82t-s9e1-2fbw" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" }, { "vulnerability": "VCID-y44u-23he-aya8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.17.0" } ], "aliases": [ "CVE-2025-10966" ], "risk_score": 2.6, "exploitability": "0.5", "weighted_severity": "5.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p155-gbtu-abg1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61673?format=api", "vulnerability_id": "VCID-secz-78pt-dben", "summary": "curl: curl: Proxy credential disclosure via redirects to unauthenticated proxies", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6253.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6253.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-6253.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-6253.html" }, { "reference_url": "https://hackerone.com/reports/3669637", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3669637" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461202", "reference_id": "2461202", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461202" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:12916", "reference_id": "RHSA-2026:12916", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:12916" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137980?format=api", "purl": "pkg:generic/curl.se/curl@8.20.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.20.0" } ], "aliases": [ "CVE-2026-6253" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-secz-78pt-dben" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65728?format=api", "vulnerability_id": "VCID-t45k-skv6-cfg2", "summary": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13034.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13034.json" }, { "reference_url": "https://curl.se/docs/CVE-2025-13034.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2025-13034.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426406", "reference_id": "2426406", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426406" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137978?format=api", "purl": "pkg:generic/curl.se/curl@8.18.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-39qh-jayw-g3dh" }, { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-fxgf-t3ue-6qhf" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-hhms-2hg6-nke9" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" }, { "vulnerability": "VCID-y44u-23he-aya8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.18.0" } ], "aliases": [ "CVE-2025-13034" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "6.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t45k-skv6-cfg2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65733?format=api", "vulnerability_id": "VCID-v82t-s9e1-2fbw", "summary": "When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-15079.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-15079.json" }, { "reference_url": "https://curl.se/docs/CVE-2025-15079.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2025-15079.html" }, { "reference_url": "https://hackerone.com/reports/3477116", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3477116" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426409", "reference_id": "2426409", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426409" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137978?format=api", "purl": "pkg:generic/curl.se/curl@8.18.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-39qh-jayw-g3dh" }, { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-fxgf-t3ue-6qhf" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-hhms-2hg6-nke9" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" }, { "vulnerability": "VCID-y44u-23he-aya8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.18.0" } ], "aliases": [ "CVE-2025-15079" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v82t-s9e1-2fbw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61670?format=api", "vulnerability_id": "VCID-w8ff-vxga-8qcz", "summary": "curl: curl: Information disclosure due to incorrect TLS connection reuse", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4873.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4873.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-4873.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-4873.html" }, { "reference_url": "https://hackerone.com/reports/3621851", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3621851" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461200", "reference_id": "2461200", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461200" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:12916", "reference_id": "RHSA-2026:12916", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:12916" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137980?format=api", "purl": "pkg:generic/curl.se/curl@8.20.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.20.0" } ], "aliases": [ "CVE-2026-4873" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w8ff-vxga-8qcz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61676?format=api", "vulnerability_id": "VCID-wgur-psum-pbck", "summary": "curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6276.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6276.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-6276.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-6276.html" }, { "reference_url": "https://hackerone.com/reports/3671818", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3671818" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461203", "reference_id": "2461203", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461203" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:12916", "reference_id": "RHSA-2026:12916", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:12916" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137980?format=api", "purl": "pkg:generic/curl.se/curl@8.20.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.20.0" } ], "aliases": [ "CVE-2026-6276" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wgur-psum-pbck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65103?format=api", "vulnerability_id": "VCID-y44u-23he-aya8", "summary": "curl: curl: Unauthorized access due to improper HTTP proxy connection reuse", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3784.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3784.json" }, { "reference_url": "https://curl.se/docs/CVE-2026-3784.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2026-3784.html" }, { "reference_url": "https://hackerone.com/reports/3584903", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3584903" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446449", "reference_id": "2446449", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446449" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137979?format=api", "purl": "pkg:generic/curl.se/curl@8.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-9vbs-w124-q3au" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.19.0" } ], "aliases": [ "CVE-2026-3784" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y44u-23he-aya8" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65741?format=api", "vulnerability_id": "VCID-58be-1htj-wqdd", "summary": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9086.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9086.json" }, { "reference_url": "https://curl.se/docs/CVE-2025-9086.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2025-9086.html" }, { "reference_url": "https://hackerone.com/reports/3294999", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3294999" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394750", "reference_id": "2394750", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394750" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23043", "reference_id": "RHSA-2025:23043", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23043" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23125", "reference_id": "RHSA-2025:23125", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23125" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23126", "reference_id": "RHSA-2025:23126", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23126" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23127", "reference_id": "RHSA-2025:23127", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23127" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23383", "reference_id": "RHSA-2025:23383", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23383" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1350", "reference_id": "RHSA-2026:1350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1477", "reference_id": "RHSA-2026:1477", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1477" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1736", "reference_id": "RHSA-2026:1736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1825", "reference_id": "RHSA-2026:1825", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1825" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2485", "reference_id": "RHSA-2026:2485", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2485" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2563", "reference_id": "RHSA-2026:2563", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2563" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4943", "reference_id": "RHSA-2026:4943", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4943" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137976?format=api", "purl": "pkg:generic/curl.se/curl@8.16.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-21ff-tazv-9ud3" }, { "vulnerability": "VCID-39qh-jayw-g3dh" }, { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-7wqd-99h2-e7hk" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-fcb7-8163-muf4" }, { "vulnerability": "VCID-fxgf-t3ue-6qhf" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-gux4-dncg-h7a6" }, { "vulnerability": "VCID-hhms-2hg6-nke9" }, { "vulnerability": "VCID-p155-gbtu-abg1" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-t45k-skv6-cfg2" }, { "vulnerability": "VCID-v82t-s9e1-2fbw" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" }, { "vulnerability": "VCID-y44u-23he-aya8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.16.0" } ], "aliases": [ "CVE-2025-9086" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-58be-1htj-wqdd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65725?format=api", "vulnerability_id": "VCID-ezve-gc2h-qyga", "summary": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-10148.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-10148.json" }, { "reference_url": "https://curl.se/docs/CVE-2025-10148.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "cvssv3.1", "scoring_elements": "" } ], "url": "https://curl.se/docs/CVE-2025-10148.html" }, { "reference_url": "https://hackerone.com/reports/3330839", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/3330839" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394749", "reference_id": "2394749", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394749" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6893", "reference_id": "RHSA-2026:6893", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6893" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/137976?format=api", "purl": "pkg:generic/curl.se/curl@8.16.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-21ff-tazv-9ud3" }, { "vulnerability": "VCID-39qh-jayw-g3dh" }, { "vulnerability": "VCID-5un8-xymy-37bt" }, { "vulnerability": "VCID-7wqd-99h2-e7hk" }, { "vulnerability": "VCID-bcuq-n4vb-k7f3" }, { "vulnerability": "VCID-f9nm-d5ax-qkcb" }, { "vulnerability": "VCID-fcb7-8163-muf4" }, { "vulnerability": "VCID-fxgf-t3ue-6qhf" }, { "vulnerability": "VCID-g7ux-4vz2-ckfg" }, { "vulnerability": "VCID-gux4-dncg-h7a6" }, { "vulnerability": "VCID-hhms-2hg6-nke9" }, { "vulnerability": "VCID-p155-gbtu-abg1" }, { "vulnerability": "VCID-secz-78pt-dben" }, { "vulnerability": "VCID-t45k-skv6-cfg2" }, { "vulnerability": "VCID-v82t-s9e1-2fbw" }, { "vulnerability": "VCID-w8ff-vxga-8qcz" }, { "vulnerability": "VCID-wgur-psum-pbck" }, { "vulnerability": "VCID-y44u-23he-aya8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.16.0" } ], "aliases": [ "CVE-2025-10148" ], "risk_score": 2.1, "exploitability": "0.5", "weighted_severity": "4.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ezve-gc2h-qyga" } ], "risk_score": "3.6", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:generic/curl.se/curl@8.16.0" }