Search for packages
| purl | pkg:generic/curl.se/curl@7.87.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2cx5-1qnw-uufj
Aliases: CVE-2026-1965 |
curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication |
Affected by 0 other vulnerabilities. |
|
VCID-47qb-2qkw-1qej
Aliases: CVE-2023-28321 |
Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
Affected by 22 other vulnerabilities. |
|
VCID-4e1k-7bj9-hfch
Aliases: CVE-2023-23914 |
Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
Affected by 32 other vulnerabilities. |
|
VCID-4gze-cwtp-2bgr
Aliases: CVE-2023-23915 |
Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
Affected by 32 other vulnerabilities. |
|
VCID-4seq-hvbx-7fg8
Aliases: CVE-2023-46219 |
Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
Affected by 20 other vulnerabilities. |
|
VCID-5xp7-mcsa-uqd4
Aliases: CVE-2025-14819 |
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. |
Affected by 4 other vulnerabilities. |
|
VCID-6we4-n888-6qhe
Aliases: CVE-2025-0725 |
libcurl: Buffer Overflow in libcurl via zlib Integer Overflow |
Affected by 13 other vulnerabilities. |
|
VCID-75nw-4e2d-zqgg
Aliases: CVE-2024-7264 |
curl: libcurl: ASN.1 date parser overread |
Affected by 17 other vulnerabilities. |
|
VCID-7srk-hshe-h3f4
Aliases: CVE-2023-27538 |
Improper Authentication An authentication bypass vulnerability exists in libcurl v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection. |
Affected by 26 other vulnerabilities. |
|
VCID-8zks-th64-33b8
Aliases: CVE-2026-3784 |
curl: curl: Unauthorized access due to improper HTTP proxy connection reuse |
Affected by 0 other vulnerabilities. |
|
VCID-arjz-67yz-wkg9
Aliases: CVE-2023-27533 |
Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
Affected by 26 other vulnerabilities. |
|
VCID-bz4u-6rft-s3a8
Aliases: CVE-2023-38039 |
Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
Affected by 21 other vulnerabilities. |
|
VCID-cbah-e86c-w3fj
Aliases: CVE-2023-27535 |
Improper Authentication An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information. |
Affected by 26 other vulnerabilities. |
|
VCID-ddgz-rczw-jqfw
Aliases: CVE-2023-28320 |
Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
Affected by 22 other vulnerabilities. |
|
VCID-etzn-uhck-h7b2
Aliases: CVE-2026-3783 |
curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect |
Affected by 0 other vulnerabilities. |
|
VCID-gnx2-djyk-uyaf
Aliases: CVE-2023-38546 |
Cookie injection with none file This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle does not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course. |
Affected by 19 other vulnerabilities. |
|
VCID-hrsy-694u-2fec
Aliases: CVE-2024-8096 |
curl: OCSP stapling bypass with GnuTLS |
Affected by 16 other vulnerabilities. |
|
VCID-m15r-v9sr-2bbn
Aliases: CVE-2023-28319 |
Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
Affected by 22 other vulnerabilities. |
|
VCID-mkyr-w79c-qqfz
Aliases: CVE-2025-14017 |
curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers |
Affected by 4 other vulnerabilities. |
|
VCID-ms2r-94ph-yyh3
Aliases: CVE-2023-27536 |
Improper Authentication An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. |
Affected by 26 other vulnerabilities. |
|
VCID-n57n-cymy-z7dr
Aliases: CVE-2023-23916 |
Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
Affected by 32 other vulnerabilities. |
|
VCID-nvzd-v3bs-6qek
Aliases: CVE-2025-15079 |
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. |
Affected by 4 other vulnerabilities. |
|
VCID-pwn6-j8vf-rufk
Aliases: CVE-2024-9681 |
curl: HSTS subdomain overwrites parent cache entry |
Affected by 16 other vulnerabilities. |
|
VCID-qdcn-2u3v-b3cv
Aliases: CVE-2023-46218 |
Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
Affected by 20 other vulnerabilities. |
|
VCID-qpux-jh6k-8qhx
Aliases: CVE-2025-10966 |
curl: Curl missing SFTP host verification with wolfSSH backend |
Affected by 10 other vulnerabilities. |
|
VCID-s73y-y7v7-43cm
Aliases: CVE-2023-28322 |
Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
Affected by 22 other vulnerabilities. |
|
VCID-syz5-5y6f-s7er
Aliases: CVE-2023-27534 |
Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
Affected by 26 other vulnerabilities. |
|
VCID-t9p4-2x7v-yfaq
Aliases: CVE-2025-0167 |
Affected by 13 other vulnerabilities. |
|
|
VCID-tcqe-7skm-b3fz
Aliases: CVE-2023-38545 |
Out-of-bounds Write This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with. |
Affected by 19 other vulnerabilities. |
|
VCID-tha5-fv3w-sub6
Aliases: CVE-2024-2004 |
Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
Affected by 17 other vulnerabilities. |
|
VCID-u4bx-xqb3-vuef
Aliases: CVE-2024-2398 |
Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. |
Affected by 17 other vulnerabilities. |
|
VCID-vbbv-k1r7-kkas
Aliases: CVE-2025-15224 |
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. |
Affected by 4 other vulnerabilities. |
|
VCID-wgma-bycg-1qb1
Aliases: CVE-2024-11053 |
curl: curl netrc password leak |
Affected by 16 other vulnerabilities. |
|
VCID-x57x-w8g8-7ybz
Aliases: CVE-2025-14524 |
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-9ggp-5wfj-ufcq | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-43552
|
| VCID-xpss-yndr-mycj | Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. |
CVE-2022-43551
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T18:21:25.452040+00:00 | Curl Importer | Fixing | VCID-xpss-yndr-mycj | https://curl.se/docs/CVE-2022-43551.json | 38.0.0 |
| 2026-04-01T18:21:25.372191+00:00 | Curl Importer | Fixing | VCID-9ggp-5wfj-ufcq | https://curl.se/docs/CVE-2022-43552.json | 38.0.0 |
| 2026-04-01T18:21:24.883440+00:00 | Curl Importer | Affected by | VCID-4e1k-7bj9-hfch | https://curl.se/docs/CVE-2023-23914.json | 38.0.0 |
| 2026-04-01T18:21:24.807455+00:00 | Curl Importer | Affected by | VCID-4gze-cwtp-2bgr | https://curl.se/docs/CVE-2023-23915.json | 38.0.0 |
| 2026-04-01T18:21:24.726264+00:00 | Curl Importer | Affected by | VCID-n57n-cymy-z7dr | https://curl.se/docs/CVE-2023-23916.json | 38.0.0 |
| 2026-04-01T18:21:24.535366+00:00 | Curl Importer | Affected by | VCID-arjz-67yz-wkg9 | https://curl.se/docs/CVE-2023-27533.json | 38.0.0 |
| 2026-04-01T18:21:23.930684+00:00 | Curl Importer | Affected by | VCID-syz5-5y6f-s7er | https://curl.se/docs/CVE-2023-27534.json | 38.0.0 |
| 2026-04-01T18:21:23.506332+00:00 | Curl Importer | Affected by | VCID-cbah-e86c-w3fj | https://curl.se/docs/CVE-2023-27535.json | 38.0.0 |
| 2026-04-01T18:21:23.010553+00:00 | Curl Importer | Affected by | VCID-ms2r-94ph-yyh3 | https://curl.se/docs/CVE-2023-27536.json | 38.0.0 |
| 2026-04-01T18:21:22.604901+00:00 | Curl Importer | Affected by | VCID-7srk-hshe-h3f4 | https://curl.se/docs/CVE-2023-27538.json | 38.0.0 |
| 2026-04-01T18:21:22.111638+00:00 | Curl Importer | Affected by | VCID-m15r-v9sr-2bbn | https://curl.se/docs/CVE-2023-28319.json | 38.0.0 |
| 2026-04-01T18:21:22.041746+00:00 | Curl Importer | Affected by | VCID-ddgz-rczw-jqfw | https://curl.se/docs/CVE-2023-28320.json | 38.0.0 |
| 2026-04-01T18:21:21.471119+00:00 | Curl Importer | Affected by | VCID-47qb-2qkw-1qej | https://curl.se/docs/CVE-2023-28321.json | 38.0.0 |
| 2026-04-01T18:21:20.958090+00:00 | Curl Importer | Affected by | VCID-s73y-y7v7-43cm | https://curl.se/docs/CVE-2023-28322.json | 38.0.0 |
| 2026-04-01T18:21:20.337226+00:00 | Curl Importer | Affected by | VCID-bz4u-6rft-s3a8 | https://curl.se/docs/CVE-2023-38039.json | 38.0.0 |
| 2026-04-01T18:21:20.264757+00:00 | Curl Importer | Affected by | VCID-tcqe-7skm-b3fz | https://curl.se/docs/CVE-2023-38545.json | 38.0.0 |
| 2026-04-01T18:21:20.109615+00:00 | Curl Importer | Affected by | VCID-gnx2-djyk-uyaf | https://curl.se/docs/CVE-2023-38546.json | 38.0.0 |
| 2026-04-01T18:21:19.466265+00:00 | Curl Importer | Affected by | VCID-qdcn-2u3v-b3cv | https://curl.se/docs/CVE-2023-46218.json | 38.0.0 |
| 2026-04-01T18:21:19.179496+00:00 | Curl Importer | Affected by | VCID-4seq-hvbx-7fg8 | https://curl.se/docs/CVE-2023-46219.json | 38.0.0 |
| 2026-04-01T18:21:19.063603+00:00 | Curl Importer | Affected by | VCID-tha5-fv3w-sub6 | https://curl.se/docs/CVE-2024-2004.json | 38.0.0 |
| 2026-04-01T18:21:18.951411+00:00 | Curl Importer | Affected by | VCID-u4bx-xqb3-vuef | https://curl.se/docs/CVE-2024-2398.json | 38.0.0 |
| 2026-04-01T18:21:18.508276+00:00 | Curl Importer | Affected by | VCID-75nw-4e2d-zqgg | https://curl.se/docs/CVE-2024-7264.json | 38.0.0 |
| 2026-04-01T18:21:18.115152+00:00 | Curl Importer | Affected by | VCID-hrsy-694u-2fec | https://curl.se/docs/CVE-2024-8096.json | 38.0.0 |
| 2026-04-01T18:21:17.753514+00:00 | Curl Importer | Affected by | VCID-pwn6-j8vf-rufk | https://curl.se/docs/CVE-2024-9681.json | 38.0.0 |
| 2026-04-01T18:21:17.591710+00:00 | Curl Importer | Affected by | VCID-wgma-bycg-1qb1 | https://curl.se/docs/CVE-2024-11053.json | 38.0.0 |
| 2026-04-01T18:21:17.426280+00:00 | Curl Importer | Affected by | VCID-t9p4-2x7v-yfaq | https://curl.se/docs/CVE-2025-0167.json | 38.0.0 |
| 2026-04-01T18:21:17.231325+00:00 | Curl Importer | Affected by | VCID-6we4-n888-6qhe | https://curl.se/docs/CVE-2025-0725.json | 38.0.0 |
| 2026-04-01T18:21:16.338118+00:00 | Curl Importer | Affected by | VCID-qpux-jh6k-8qhx | https://curl.se/docs/CVE-2025-10966.json | 38.0.0 |
| 2026-04-01T18:21:16.030401+00:00 | Curl Importer | Affected by | VCID-mkyr-w79c-qqfz | https://curl.se/docs/CVE-2025-14017.json | 38.0.0 |
| 2026-04-01T18:21:15.492091+00:00 | Curl Importer | Affected by | VCID-x57x-w8g8-7ybz | https://curl.se/docs/CVE-2025-14524.json | 38.0.0 |
| 2026-04-01T18:21:15.087829+00:00 | Curl Importer | Affected by | VCID-5xp7-mcsa-uqd4 | https://curl.se/docs/CVE-2025-14819.json | 38.0.0 |
| 2026-04-01T18:21:14.958502+00:00 | Curl Importer | Affected by | VCID-nvzd-v3bs-6qek | https://curl.se/docs/CVE-2025-15079.json | 38.0.0 |
| 2026-04-01T18:21:14.684968+00:00 | Curl Importer | Affected by | VCID-vbbv-k1r7-kkas | https://curl.se/docs/CVE-2025-15224.json | 38.0.0 |
| 2026-04-01T18:21:14.399538+00:00 | Curl Importer | Affected by | VCID-2cx5-1qnw-uufj | https://curl.se/docs/CVE-2026-1965.json | 38.0.0 |
| 2026-04-01T18:21:13.764107+00:00 | Curl Importer | Affected by | VCID-etzn-uhck-h7b2 | https://curl.se/docs/CVE-2026-3783.json | 38.0.0 |
| 2026-04-01T18:21:13.320652+00:00 | Curl Importer | Affected by | VCID-8zks-th64-33b8 | https://curl.se/docs/CVE-2026-3784.json | 38.0.0 |