Search for packages
| purl | pkg:deb/debian/curl@7.88.1-10%2Bdeb12u14?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2cx5-1qnw-uufj
Aliases: CVE-2026-1965 |
curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2szj-xvgq-pkfr
Aliases: CVE-2024-2379 |
curl: QUIC certificate check bypass with wolfSSL |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5xp7-mcsa-uqd4
Aliases: CVE-2025-14819 |
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6we4-n888-6qhe
Aliases: CVE-2025-0725 |
libcurl: Buffer Overflow in libcurl via zlib Integer Overflow |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8zks-th64-33b8
Aliases: CVE-2026-3784 |
curl: curl: Unauthorized access due to improper HTTP proxy connection reuse |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-etzn-uhck-h7b2
Aliases: CVE-2026-3783 |
curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ksap-zrmb-ebcu
Aliases: CVE-2025-10148 |
curl: predictable WebSocket mask |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-mkyr-w79c-qqfz
Aliases: CVE-2025-14017 |
curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nvzd-v3bs-6qek
Aliases: CVE-2025-15079 |
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-qpux-jh6k-8qhx
Aliases: CVE-2025-10966 |
curl: Curl missing SFTP host verification with wolfSSH backend |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vbbv-k1r7-kkas
Aliases: CVE-2025-15224 |
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-x57x-w8g8-7ybz
Aliases: CVE-2025-14524 |
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-176a-agbw-hqdy | curl: libcurl: QUIC Certificate Pinning Bypass |
CVE-2025-5025
|
| VCID-1k8f-qgcv-xkhb | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-27782
|
| VCID-1mf9-u8y1-zbb1 | Multiple vulnerabilities have been found in cURL, the worst of which may allow attackers to bypass intended restrictions. |
CVE-2017-1000101
|
| VCID-26ju-84rx-c7b9 | Multiple vulnerabilities have been found in cURL, the worst of which may allow attackers to bypass intended restrictions. |
CVE-2017-7407
|
| VCID-26p8-15d6-kbb1 | libcurl: Double Close of Eventfd in libcurl |
CVE-2025-0665
|
| VCID-29n1-4u2b-tkgj | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2018-16842
|
| VCID-2b39-ubrt-hkc6 | Multiple vulnerabilities have been found in cURL, the worst of which may lead to arbitrary code execution. |
CVE-2019-5436
|
| VCID-2f5z-vxsz-yqdv | A vulnerability in cURL may allow for arbitrary file access. |
CVE-2009-0037
|
| VCID-2vwu-y316-gbb2 | Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
CVE-2024-2466
|
| VCID-2xmp-jc8v-bucb | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-35252
|
| VCID-36n6-qanf-nue8 | Multiple vulnerabilities have been found in cURL, the worst of which may allow attackers to bypass intended restrictions. |
CVE-2017-7468
|
| VCID-38mv-usbe-z7hd | Multiple vulnerabilities have been found in cURL, the worst of which could result in the arbitrary execution of code. |
CVE-2021-22901
|
| VCID-3sy2-4f3g-zkac | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-27774
|
| VCID-47qb-2qkw-1qej | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-28321
|
| VCID-4drq-2td7-akbk | cURL is vulnerable to a buffer overflow which could lead to the execution of arbitrary code. |
CVE-2005-3185
|
| VCID-4e1k-7bj9-hfch | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-23914
|
| VCID-4gze-cwtp-2bgr | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-23915
|
| VCID-4mcy-vzmg-mbhz | Multiple vulnerabilities have been found in cURL, the worst of which might allow remote execution of arbitrary code. |
CVE-2012-0036
|
| VCID-4mk9-5buz-puh5 | Multiple vulnerabilities have been discovered in cURL, the worst of which could lead to man-in-the-middle attacks. |
CVE-2014-0139
|
| VCID-4seq-hvbx-7fg8 | Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
CVE-2023-46219
|
| VCID-549m-sm8g-cude | Multiple vulnerabilities have been found in cURL, the worst of which may allow attackers to bypass intended restrictions. |
CVE-2017-1000099
|
| VCID-56wg-yafz-gkgx | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2021-22922
|
| VCID-5g4v-dyse-uucu | wcurl: wcurl: Arbitrary file placement via crafted URLs |
CVE-2025-11563
|
| VCID-5jan-pqf6-fyhr | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8622
|
| VCID-5n7a-9j23-e7dj | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2018-16839
|
| VCID-6ge5-86tg-dydf | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-27779
|
| VCID-6muy-xpdq-9kg8 | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8616
|
| VCID-6yb7-t8qs-cbch | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2018-1000007
|
| VCID-75nw-4e2d-zqgg | curl: libcurl: ASN.1 date parser overread |
CVE-2024-7264
|
| VCID-79sv-kzb5-hbc4 | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2019-3822
|
| VCID-7c8e-eaqy-akeu | security update |
CVE-2015-3153
|
| VCID-7srk-hshe-h3f4 | Improper Authentication An authentication bypass vulnerability exists in libcurl v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection. |
CVE-2023-27538
|
| VCID-7vt9-pf5q-uqb6 | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2018-1000301
|
| VCID-7xxh-66ys-4bhw | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-5419
|
| VCID-87qu-j64w-p7fj | unchecked ssl certificate host name |
CVE-2013-4545
|
| VCID-8m6a-ej6a-g3df | curl: freeing stack buffer in utf8asn1str |
CVE-2024-6197
|
| VCID-9cbd-x468-rkaw | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2018-16840
|
| VCID-9ggp-5wfj-ufcq | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-43552
|
| VCID-9mjz-apkm-g7h1 | libcurl: curl: QUIC certificate check skip with wolfSSL |
CVE-2025-4947
|
| VCID-9nak-pscy-e7gs | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-32221
|
| VCID-9q2w-yxvk-pbhd | cURL is vulnerable to local arbitrary code execution via buffer overflow due to the insecure parsing of URLs. |
CVE-2005-4077
|
| VCID-a3v7-ptf1-6qgd | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-7141
|
| VCID-a9b6-m25r-kygw | The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by "*.com." |
CVE-2016-9952
|
| VCID-ac6r-spds-qbf5 | Multiple vulnerabilities have been found in cURL, the worst of which may lead to arbitrary code execution. |
CVE-2019-5435
|
| VCID-ae59-w7a1-7keg | Multiple vulnerabilities have been found in cURL, the worst of which may allow execution of arbitrary code. |
CVE-2017-1000254
|
| VCID-amgy-dw6h-6ydf | curl: curl: Arbitrary code execution or Denial of Service via use-after-free in SMB request handling |
CVE-2026-3805
|
| VCID-arjz-67yz-wkg9 | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-27533
|
| VCID-aua9-4frt-xugf | curl: libcurl: Curl out of bounds read for cookie path |
CVE-2025-9086
|
| VCID-b2ef-zj3u-rbhy | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-0755
|
| VCID-b69q-9yrr-myf7 | Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
CVE-2024-0853
|
| VCID-bb2f-7qrm-1kca | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-27781
|
| VCID-bdrx-sm6b-sken | Multiple vulnerabilities have been found in cURL, allowing attackers to execute arbitrary code or cause Denial of Service. |
CVE-2013-6422
|
| VCID-bdy2-8gub-tfe6 | Double Free When sending data to an MQTT server, libcurl could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*. |
CVE-2021-22945
|
| VCID-bgtv-jrna-9yb3 | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-5421
|
| VCID-bhvd-ntxz-dkg4 | Multiple vulnerabilities have been found in cURL, the worst of which may allow execution of arbitrary code. |
CVE-2017-8816
|
| VCID-bv57-gvfs-qfhj | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2018-1000121
|
| VCID-bvgs-71kb-mbcx | security flaw |
CVE-2005-0490
|
| VCID-bz4u-6rft-s3a8 | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-38039
|
| VCID-c2na-7q9e-47am | information disclosure |
CVE-2014-0015
|
| VCID-c6dk-7gj6-7far | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8623
|
| VCID-cbah-e86c-w3fj | Improper Authentication An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information. |
CVE-2023-27535
|
| VCID-cbph-fu9d-gbah | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2018-1000122
|
| VCID-cp4n-p2z3-43b4 | Multiple vulnerabilities have been found in cURL, the worst of which could result in information disclosure or data loss. |
CVE-2020-8177
|
| VCID-d3s1-3qs7-2uhw | curl: Cipher settings shared for all connections when using schannel TLS backed |
CVE-2021-22897
|
| VCID-ddgz-rczw-jqfw | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-28320
|
| VCID-dgtq-eaav-jyhf | Out-of-bounds Write A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse. |
CVE-2018-1000120
GHSA-674j-7m97-j2p9 |
| VCID-dhrf-2sz5-3bhf | Multiple vulnerabilities have been found in cURL, the worst of which may lead to arbitrary code execution. |
CVE-2019-5481
|
| VCID-dj5e-62rt-hkex | Multiple vulnerabilities have been found in cURL, the worst of which might allow remote execution of arbitrary code. |
CVE-2010-0734
|
| VCID-drkp-q9r5-ukcm | Multiple vulnerabilities have been found in cURL, the worst of which may allow execution of arbitrary code. |
CVE-2017-8818
|
| VCID-dzzd-afgu-3fcy | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2014-8150
|
| VCID-e1yx-dxa6-1bba | Multiple vulnerabilities have been found in the Oracle JRE/JDK, allowing attackers to cause unspecified impact. |
CVE-2011-3389
|
| VCID-e58m-g37d-9fd6 | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8624
|
| VCID-eap9-v2gp-fqgh | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-3739
|
| VCID-eer3-29q8-sbgq | security update |
CVE-2014-3707
|
| VCID-ej47-4dcu-5fhy | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-42915
|
| VCID-ekav-zg3k-v3ea | curl: cookies accepted for TLDs |
CVE-2014-3620
|
| VCID-exhe-cmqf-duad | Multiple vulnerabilities have been found in cURL, the worst of which might allow remote execution of arbitrary code. |
CVE-2011-2192
|
| VCID-f1aq-3cj8-gfbq | curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server. |
CVE-2003-1605
|
| VCID-fnj3-2du1-4bhx | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-9586
|
| VCID-fnr7-xb26-dbez | Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error. |
CVE-2020-19909
|
| VCID-fp65-97n1-xuaj | Multiple vulnerabilities have been found in cURL, the worst of which may allow attackers to bypass intended restrictions. |
CVE-2017-1000100
|
| VCID-frgg-29yv-dyf7 | Multiple vulnerabilities have been found in cURL, the worst of which could result in the arbitrary execution of code. |
CVE-2021-22890
|
| VCID-ggt7-eejg-xfb6 | Multiple vulnerabilities have been found in cURL, the worst of which could result in the arbitrary execution of code. |
CVE-2021-22876
|
| VCID-gnx2-djyk-uyaf | Cookie injection with none file This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle does not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course. |
CVE-2023-38546
|
| VCID-gv7x-j8bz-wycc | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-32207
|
| VCID-gwb6-rf4r-d3b2 | Multiple vulnerabilities have been found in cURL, allowing attackers to execute arbitrary code or cause Denial of Service. |
CVE-2013-0249
|
| VCID-hj8v-tgnn-mfdw | The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read. |
CVE-2016-9953
|
| VCID-hjkx-6yep-mkde | curl: removes wrong file on error |
CVE-2022-27778
|
| VCID-hrsy-694u-2fec | curl: OCSP stapling bypass with GnuTLS |
CVE-2024-8096
|
| VCID-hudt-78dw-tkf2 | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2021-22925
|
| VCID-hyqp-z8hb-fqbt | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-9594
|
| VCID-j2cq-q3r9-jfcp | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8620
|
| VCID-j2qx-np45-4qdu | Multiple vulnerabilities have been found in cURL, the worst of which may allow execution of arbitrary code. |
CVE-2017-1000257
|
| VCID-j5s3-rr74-nqb8 | Multiple vulnerabilities have been found in cURL, the worst of which could result in information disclosure or data loss. |
CVE-2020-8169
|
| VCID-jeqg-g3en-5udw | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-5420
|
| VCID-jnfc-8f5d-pyh4 | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2018-1000005
|
| VCID-jqqf-gmd3-ubcd | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8621
|
| VCID-jtw4-af4y-nkbk | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8619
|
| VCID-ju6h-a1sz-f7e5 | Multiple vulnerabilities have been found in cURL, the worst of which could result in information disclosure or data loss. |
CVE-2020-8285
|
| VCID-k8kj-q1je-f7bt | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-7167
|
| VCID-ke81-x2ze-rbc5 | Double Free A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free. |
CVE-2023-27537
|
| VCID-krgt-drpz-y7cy | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2018-1000300
|
| VCID-kt4b-7ffh-4bch | When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. |
CVE-2025-13034
|
| VCID-m15r-v9sr-2bbn | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-28319
|
| VCID-m3nh-aha9-dfbc | Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, when the --remote-header-name or -J option is used, allows remote servers to create or overwrite arbitrary files by using \ (backslash) as a separator of path components within the Content-disposition HTTP header. |
CVE-2010-3842
|
| VCID-m3r3-25yq-hqdc | Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks. |
CVE-2016-4606
|
| VCID-m5fs-um7r-9qh2 | curl: libcurl: WebSocket endless loop |
CVE-2025-5399
|
| VCID-ma8s-he6x-z7a8 | curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. |
CVE-2014-2522
|
| VCID-ms2r-94ph-yyh3 | Improper Authentication An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. |
CVE-2023-27536
|
| VCID-my7a-jeng-5bhw | curl: macidn punycode buffer overread |
CVE-2024-6874
|
| VCID-n51k-39uk-auca | Multiple vulnerabilities have been found in cURL, the worst of which could result in information disclosure or data loss. |
CVE-2020-8286
|
| VCID-n57n-cymy-z7dr | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-23916
|
| VCID-ph5u-5j8n-4qah | Multiple vulnerabilities have been found in cURL, the worst of which could result in the arbitrary execution of code. |
CVE-2021-22898
|
| VCID-prff-34kh-kbat | Multiple vulnerabilities have been found in cURL, allowing attackers to execute arbitrary code or cause Denial of Service. |
CVE-2013-1944
|
| VCID-pwn6-j8vf-rufk | curl: HSTS subdomain overwrites parent cache entry |
CVE-2024-9681
|
| VCID-q229-ag6u-u3hv | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-22576
|
| VCID-q3hu-8uy5-e3a4 | A coding error has been found in cURL, causing the TLS Certificate Status Request extension check to always return true. |
CVE-2017-2629
|
| VCID-qbpd-star-6fgn | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2021-22923
|
| VCID-qdcn-2u3v-b3cv | Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
CVE-2023-46218
|
| VCID-qka4-jfdb-w3d5 | Multiple vulnerabilities have been found in cURL, the worst of which can allow remote attackers to cause Denial of Service condition. |
CVE-2015-3144
|
| VCID-qpfa-s6sd-8yct | curl: Windows OpenSSL engine code injection |
CVE-2019-5443
|
| VCID-r3ny-7kn7-ukaa | An error in the X.509 certificate handling of cURL might enable remote attackers to conduct man-in-the-middle attacks. |
CVE-2009-2417
|
| VCID-r447-deb8-2ydj | Multiple vulnerabilities have been found in cURL, the worst of which can allow remote attackers to cause Denial of Service condition. |
CVE-2015-3237
|
| VCID-r7bh-7wur-xffs | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-27776
|
| VCID-rg54-svzj-x7f9 | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-35260
|
| VCID-rhxh-77pj-1bfy | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-27780
|
| VCID-rmez-cwu2-2ya7 | Multiple vulnerabilities have been found in cURL, the worst of which could result in information disclosure or data loss. |
CVE-2020-8284
|
| VCID-s73y-y7v7-43cm | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-28322
|
| VCID-sh5a-fmna-wffr | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2021-22946
|
| VCID-sknq-8mm1-6qfe | security update |
CVE-2014-3613
|
| VCID-snaz-pg1h-8kew | cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name. |
CVE-2016-0754
|
| VCID-syz5-5y6f-s7er | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2023-27534
|
| VCID-t1fk-cbsx-j3gh | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-32205
|
| VCID-t4gn-9fw8-gkc3 | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2021-22947
|
| VCID-t753-w1ha-kqaz | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2014-8151
|
| VCID-t8t6-9wa3-aub7 | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-27775
|
| VCID-t9p4-2x7v-yfaq |
CVE-2025-0167
|
|
| VCID-tcqe-7skm-b3fz | Out-of-bounds Write This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with. |
CVE-2023-38545
|
| VCID-tha5-fv3w-sub6 | Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
CVE-2024-2004
|
| VCID-tmv3-fzje-sbck | Multiple vulnerabilities have been found in cURL, the worst of which can allow remote attackers to cause Denial of Service condition. |
CVE-2015-3148
|
| VCID-tz47-j4ey-t7g6 | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2018-14618
|
| VCID-u4bx-xqb3-vuef | Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
CVE-2024-2398
|
| VCID-u9jp-j1ds-73e7 | curl: URL file scheme drive letter buffer overflow |
CVE-2017-9502
|
| VCID-v3qf-6wju-1bg8 | security update |
CVE-2018-16890
|
| VCID-v9n1-d6xt-6ubn | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-30115
|
| VCID-vr9x-yqsd-6fc8 | A heap-based buffer overflow in cURL might allow remote attackers to execute arbitrary code. |
CVE-2018-0500
|
| VCID-vxpj-xygq-9be2 | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8615
|
| VCID-vyk2-s5ut-ubbz | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8618
|
| VCID-w8ks-xk66-r3fm | Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. |
CVE-2019-3823
|
| VCID-wc8j-qyp4-tqbd | Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory. |
CVE-2016-4802
|
| VCID-wdhs-h36p-qbga | curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148) |
CVE-2017-2628
|
| VCID-wgma-bycg-1qb1 | curl: curl netrc password leak |
CVE-2024-11053
|
| VCID-wh98-pw9h-cyfx | Multiple vulnerabilities have been found in cURL, the worst of which can allow remote attackers to cause Denial of Service condition. |
CVE-2015-3145
|
| VCID-wrh2-77dv-hbdz | Multiple vulnerabilities have been found in cURL, the worst of which may allow execution of arbitrary code. |
CVE-2017-8817
|
| VCID-wwam-tcmv-kqhc | Multiple vulnerabilities have been found in cURL, the worst of which may lead to arbitrary code execution. |
CVE-2019-5482
|
| VCID-xkw8-ptjd-sfb6 | libcurl is affected by a buffer overflow in the handling of URLs for the TFTP protocol, which could be exploited to compromise a user's system. |
CVE-2006-1061
|
| VCID-xm7g-6w3z-37fs | libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions. |
CVE-2007-3564
|
| VCID-xpss-yndr-mycj | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-43551
|
| VCID-xspf-45t1-2uhf | Multiple vulnerabilities have been found in cURL, the worst of which can allow remote attackers to cause Denial of Service condition. |
CVE-2015-3143
|
| VCID-xzay-sjpy-3yce | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-32206
|
| VCID-y32p-52ps-4ug4 | Use of Incorrectly-Resolved Name or Reference libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function does not take `issuercert` into account and it compared the involved paths *case insensitively*, which could lead to libcurl reusing wrong connections. File paths are, or can be, case sensitive on many systems but not all, and can even vary depending on used file systems. The comparison also didn't include the `issuer cert` which a transfer can set to qualify how to verify the server certificate. |
CVE-2021-22924
|
| VCID-y4x5-n5m2-x7bq | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-32208
|
| VCID-ya9y-nav3-37hh | curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. |
CVE-2014-1263
|
| VCID-yaas-j3qk-kfdg | Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-42916
|
| VCID-yubp-g4rt-c3e6 | Multiple vulnerabilities have been found in cURL, the worst of which can allow remote attackers to cause Denial of Service condition. |
CVE-2015-3236
|
| VCID-yvdd-ataf-ckf1 | Multiple vulnerabilities have been found in cURL, the worst of which could result in information disclosure or data loss. |
CVE-2020-8231
|
| VCID-yxks-8529-23bj | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8625
|
| VCID-z49y-v1gh-h7gj | Multiple vulnerabilities have been found in cURL, allowing attackers to execute arbitrary code or cause Denial of Service. |
CVE-2013-2174
|
| VCID-z8h3-fdj8-xuaa | Multiple vulnerabilities have been discovered in cURL, the worst of which could lead to man-in-the-middle attacks. |
CVE-2014-0138
|
| VCID-zxz2-xfpd-pbay | Multiple vulnerabilities have been found in cURL, the worst of which could allow remote attackers to execute arbitrary code. |
CVE-2016-8617
|