Search for packages
| purl | pkg:generic/curl.se/curl@8.12.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-176a-agbw-hqdy
Aliases: CVE-2025-5025 |
curl: libcurl: QUIC Certificate Pinning Bypass |
Affected by 14 other vulnerabilities. |
|
VCID-2cx5-1qnw-uufj
Aliases: CVE-2026-1965 |
curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication |
Affected by 0 other vulnerabilities. |
|
VCID-5xp7-mcsa-uqd4
Aliases: CVE-2025-14819 |
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. |
Affected by 4 other vulnerabilities. |
|
VCID-8zks-th64-33b8
Aliases: CVE-2026-3784 |
curl: curl: Unauthorized access due to improper HTTP proxy connection reuse |
Affected by 0 other vulnerabilities. |
|
VCID-9mjz-apkm-g7h1
Aliases: CVE-2025-4947 |
libcurl: curl: QUIC certificate check skip with wolfSSL |
Affected by 14 other vulnerabilities. |
|
VCID-etzn-uhck-h7b2
Aliases: CVE-2026-3783 |
curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect |
Affected by 0 other vulnerabilities. |
|
VCID-ksap-zrmb-ebcu
Aliases: CVE-2025-10148 |
curl: predictable WebSocket mask |
Affected by 11 other vulnerabilities. |
|
VCID-kt4b-7ffh-4bch
Aliases: CVE-2025-13034 |
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. |
Affected by 4 other vulnerabilities. |
|
VCID-mkyr-w79c-qqfz
Aliases: CVE-2025-14017 |
curl: curl: Security bypass due to global TLS option changes in multi-threaded LDAPS transfers |
Affected by 4 other vulnerabilities. |
|
VCID-nvzd-v3bs-6qek
Aliases: CVE-2025-15079 |
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. |
Affected by 4 other vulnerabilities. |
|
VCID-qpux-jh6k-8qhx
Aliases: CVE-2025-10966 |
curl: Curl missing SFTP host verification with wolfSSH backend |
Affected by 10 other vulnerabilities. |
|
VCID-vbbv-k1r7-kkas
Aliases: CVE-2025-15224 |
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. |
Affected by 4 other vulnerabilities. |
|
VCID-x57x-w8g8-7ybz
Aliases: CVE-2025-14524 |
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-26p8-15d6-kbb1 | libcurl: Double Close of Eventfd in libcurl |
CVE-2025-0665
|
| VCID-6we4-n888-6qhe | libcurl: Buffer Overflow in libcurl via zlib Integer Overflow |
CVE-2025-0725
|
| VCID-t9p4-2x7v-yfaq |
CVE-2025-0167
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T18:21:17.512410+00:00 | Curl Importer | Fixing | VCID-t9p4-2x7v-yfaq | https://curl.se/docs/CVE-2025-0167.json | 38.0.0 |
| 2026-04-01T18:21:17.344584+00:00 | Curl Importer | Fixing | VCID-26p8-15d6-kbb1 | https://curl.se/docs/CVE-2025-0665.json | 38.0.0 |
| 2026-04-01T18:21:17.313266+00:00 | Curl Importer | Fixing | VCID-6we4-n888-6qhe | https://curl.se/docs/CVE-2025-0725.json | 38.0.0 |
| 2026-04-01T18:21:16.683237+00:00 | Curl Importer | Affected by | VCID-9mjz-apkm-g7h1 | https://curl.se/docs/CVE-2025-4947.json | 38.0.0 |
| 2026-04-01T18:21:16.625764+00:00 | Curl Importer | Affected by | VCID-176a-agbw-hqdy | https://curl.se/docs/CVE-2025-5025.json | 38.0.0 |
| 2026-04-01T18:21:16.471628+00:00 | Curl Importer | Affected by | VCID-ksap-zrmb-ebcu | https://curl.se/docs/CVE-2025-10148.json | 38.0.0 |
| 2026-04-01T18:21:16.417585+00:00 | Curl Importer | Affected by | VCID-qpux-jh6k-8qhx | https://curl.se/docs/CVE-2025-10966.json | 38.0.0 |
| 2026-04-01T18:21:16.195536+00:00 | Curl Importer | Affected by | VCID-kt4b-7ffh-4bch | https://curl.se/docs/CVE-2025-13034.json | 38.0.0 |
| 2026-04-01T18:21:16.113639+00:00 | Curl Importer | Affected by | VCID-mkyr-w79c-qqfz | https://curl.se/docs/CVE-2025-14017.json | 38.0.0 |
| 2026-04-01T18:21:15.571356+00:00 | Curl Importer | Affected by | VCID-x57x-w8g8-7ybz | https://curl.se/docs/CVE-2025-14524.json | 38.0.0 |
| 2026-04-01T18:21:15.167647+00:00 | Curl Importer | Affected by | VCID-5xp7-mcsa-uqd4 | https://curl.se/docs/CVE-2025-14819.json | 38.0.0 |
| 2026-04-01T18:21:15.037888+00:00 | Curl Importer | Affected by | VCID-nvzd-v3bs-6qek | https://curl.se/docs/CVE-2025-15079.json | 38.0.0 |
| 2026-04-01T18:21:14.767007+00:00 | Curl Importer | Affected by | VCID-vbbv-k1r7-kkas | https://curl.se/docs/CVE-2025-15224.json | 38.0.0 |
| 2026-04-01T18:21:14.480261+00:00 | Curl Importer | Affected by | VCID-2cx5-1qnw-uufj | https://curl.se/docs/CVE-2026-1965.json | 38.0.0 |
| 2026-04-01T18:21:13.839739+00:00 | Curl Importer | Affected by | VCID-etzn-uhck-h7b2 | https://curl.se/docs/CVE-2026-3783.json | 38.0.0 |
| 2026-04-01T18:21:13.422198+00:00 | Curl Importer | Affected by | VCID-8zks-th64-33b8 | https://curl.se/docs/CVE-2026-3784.json | 38.0.0 |