Search for packages
| purl | pkg:deb/debian/curl@0?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-176a-agbw-hqdy | curl: libcurl: QUIC Certificate Pinning Bypass |
CVE-2025-5025
|
| VCID-26p8-15d6-kbb1 | libcurl: Double Close of Eventfd in libcurl |
CVE-2025-0665
|
| VCID-2vwu-y316-gbb2 | Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
CVE-2024-2466
|
| VCID-38mv-usbe-z7hd | Multiple vulnerabilities have been found in cURL, the worst of which could result in the arbitrary execution of code. |
CVE-2021-22901
|
| VCID-549m-sm8g-cude | Multiple vulnerabilities have been found in cURL, the worst of which may allow attackers to bypass intended restrictions. |
CVE-2017-1000099
|
| VCID-5g4v-dyse-uucu | wcurl: wcurl: Arbitrary file placement via crafted URLs |
CVE-2025-11563
|
| VCID-5xp7-mcsa-uqd4 | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. |
CVE-2025-14819
|
| VCID-6ge5-86tg-dydf | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-27779
|
| VCID-8m6a-ej6a-g3df | curl: freeing stack buffer in utf8asn1str |
CVE-2024-6197
|
| VCID-9mjz-apkm-g7h1 | libcurl: curl: QUIC certificate check skip with wolfSSL |
CVE-2025-4947
|
| VCID-a9b6-m25r-kygw | The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by "*.com." |
CVE-2016-9952
|
| VCID-amgy-dw6h-6ydf | curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling |
CVE-2026-3805
|
| VCID-aua9-4frt-xugf | curl: libcurl: Curl out of bounds read for cookie path |
CVE-2025-9086
|
| VCID-b69q-9yrr-myf7 | Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
CVE-2024-0853
|
| VCID-bz4u-6rft-s3a8 | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-38039
|
| VCID-d3s1-3qs7-2uhw | curl: Cipher settings shared for all connections when using schannel TLS backed |
CVE-2021-22897
|
| VCID-ej47-4dcu-5fhy | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-42915
|
| VCID-hj8v-tgnn-mfdw | The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read. |
CVE-2016-9953
|
| VCID-hjkx-6yep-mkde | curl: removes wrong file on error |
CVE-2022-27778
|
| VCID-hudt-78dw-tkf2 | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2021-22925
|
| VCID-hyqp-z8hb-fqbt | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-9594
|
| VCID-ke81-x2ze-rbc5 | Double Free A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free. |
CVE-2023-27537
|
| VCID-ksap-zrmb-ebcu | curl: predictable WebSocket mask |
CVE-2025-10148
|
| VCID-kt4b-7ffh-4bch | When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. |
CVE-2025-13034
|
| VCID-m15r-v9sr-2bbn | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-28319
|
| VCID-m3nh-aha9-dfbc | Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, when the --remote-header-name or -J option is used, allows remote servers to create or overwrite arbitrary files by using \ (backslash) as a separator of path components within the Content-disposition HTTP header. |
CVE-2010-3842
|
| VCID-m3r3-25yq-hqdc | Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks. |
CVE-2016-4606
|
| VCID-m5fs-um7r-9qh2 | curl: libcurl: WebSocket endless loop |
CVE-2025-5399
|
| VCID-ma8s-he6x-z7a8 | curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. |
CVE-2014-2522
|
| VCID-my7a-jeng-5bhw | curl: macidn punycode buffer overread |
CVE-2024-6874
|
| VCID-qpfa-s6sd-8yct | curl: Windows OpenSSL engine code injection |
CVE-2019-5443
|
| VCID-rg54-svzj-x7f9 | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-35260
|
| VCID-rhxh-77pj-1bfy | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-27780
|
| VCID-snaz-pg1h-8kew | cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name. |
CVE-2016-0754
|
| VCID-t753-w1ha-kqaz | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2014-8151
|
| VCID-t9p4-2x7v-yfaq |
CVE-2025-0167
|
|
| VCID-tha5-fv3w-sub6 | Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
CVE-2024-2004
|
| VCID-u9jp-j1ds-73e7 | curl: URL file scheme drive letter buffer overflow |
CVE-2017-9502
|
| VCID-v9n1-d6xt-6ubn | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-30115
|
| VCID-wc8j-qyp4-tqbd | Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory. |
CVE-2016-4802
|
| VCID-wdhs-h36p-qbga | curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148) |
CVE-2017-2628
|
| VCID-wgma-bycg-1qb1 | curl: curl netrc password leak |
CVE-2024-11053
|
| VCID-ya9y-nav3-37hh | curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. |
CVE-2014-1263
|