rpm package

suse/curl&distro=SUSE Linux Enterprise Micro 5.2

pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.2

Vulnerabilities (40)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-3784	Med	6.5	< 8.14.1-150200.4.103.1	8.14.1-150200.4.103.1	Mar 11, 2026	curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
CVE-2026-3805		—	< 8.14.1-150200.4.103.1	8.14.1-150200.4.103.1	Mar 11, 2026	When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.
CVE-2026-3783		—	< 8.14.1-150200.4.103.1	8.14.1-150200.4.103.1	Mar 11, 2026	When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .ne
CVE-2026-1965		—	< 8.14.1-150200.4.103.1	8.14.1-150200.4.103.1	Mar 11, 2026	libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connectio
CVE-2025-11563		—	< 8.14.1-150200.4.94.1	8.14.1-150200.4.94.1	Feb 25, 2026	URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
CVE-2025-15224		—	< 8.14.1-150200.4.97.1	8.14.1-150200.4.97.1	Jan 8, 2026	When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.
CVE-2025-15079		—	< 8.14.1-150200.4.97.1	8.14.1-150200.4.97.1	Jan 8, 2026	When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.
CVE-2025-14819		—	< 8.14.1-150200.4.97.1	8.14.1-150200.4.97.1	Jan 8, 2026	When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations.
CVE-2025-14524		—	< 8.14.1-150200.4.97.1	8.14.1-150200.4.97.1	Jan 8, 2026	When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
CVE-2025-14017		—	< 8.14.1-150200.4.100.1	8.14.1-150200.4.100.1	Jan 8, 2026	When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer c
CVE-2025-9086	Hig	7.5	< 8.14.1-150200.4.91.1	8.14.1-150200.4.91.1	Sep 12, 2025	1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path
CVE-2025-10148		—	< 8.14.1-150200.4.91.1	8.14.1-150200.4.91.1	Sep 12, 2025	curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traf
CVE-2025-0725		—	< 7.66.0-150200.4.84.1	7.66.0-150200.4.84.1	Feb 5, 2025	When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
CVE-2025-0167		—	< 7.66.0-150200.4.84.1	7.66.0-150200.4.84.1	Feb 5, 2025	When asked to use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both l
CVE-2024-11053		—	< 7.66.0-150200.4.81.1	7.66.0-150200.4.81.1	Dec 11, 2024	When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect
CVE-2024-8096		—	< 7.66.0-150200.4.78.1	7.66.0-150200.4.78.1	Sep 11, 2024	When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports
CVE-2024-7264		—	< 7.66.0-150200.4.75.1	7.66.0-150200.4.75.1	Jul 31, 2024	libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a `strlen()` getting performed on a pointer t
CVE-2024-2398		—	< 7.66.0-150200.4.69.1	7.66.0-150200.4.69.1	Mar 27, 2024	When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated head
CVE-2024-2004		—	< 7.66.0-150200.4.69.1	7.66.0-150200.4.69.1	Mar 27, 2024	When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protoc
CVE-2023-46218	Med	6.5	< 7.66.0-150200.4.63.1	7.66.0-150200.4.63.1	Dec 7, 2023	This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this

CVE-2026-3784MedMar 11, 2026
affected < 8.14.1-150200.4.103.1fixed 8.14.1-150200.4.103.1
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
CVE-2026-3805Mar 11, 2026
affected < 8.14.1-150200.4.103.1fixed 8.14.1-150200.4.103.1
When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.
CVE-2026-3783Mar 11, 2026
affected < 8.14.1-150200.4.103.1fixed 8.14.1-150200.4.103.1
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .ne
CVE-2026-1965Mar 11, 2026
affected < 8.14.1-150200.4.103.1fixed 8.14.1-150200.4.103.1
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connectio
CVE-2025-11563Feb 25, 2026
affected < 8.14.1-150200.4.94.1fixed 8.14.1-150200.4.94.1
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
CVE-2025-15224Jan 8, 2026
affected < 8.14.1-150200.4.97.1fixed 8.14.1-150200.4.97.1
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.
CVE-2025-15079Jan 8, 2026
affected < 8.14.1-150200.4.97.1fixed 8.14.1-150200.4.97.1
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
CVE-2025-14819Jan 8, 2026
affected < 8.14.1-150200.4.97.1fixed 8.14.1-150200.4.97.1
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations.
CVE-2025-14524Jan 8, 2026
affected < 8.14.1-150200.4.97.1fixed 8.14.1-150200.4.97.1
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
CVE-2025-14017Jan 8, 2026
affected < 8.14.1-150200.4.100.1fixed 8.14.1-150200.4.100.1
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer c
CVE-2025-9086HigSep 12, 2025
affected < 8.14.1-150200.4.91.1fixed 8.14.1-150200.4.91.1
1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path
CVE-2025-10148Sep 12, 2025
affected < 8.14.1-150200.4.91.1fixed 8.14.1-150200.4.91.1
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traf
CVE-2025-0725Feb 5, 2025
affected < 7.66.0-150200.4.84.1fixed 7.66.0-150200.4.84.1
When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.
CVE-2025-0167Feb 5, 2025
affected < 7.66.0-150200.4.84.1fixed 7.66.0-150200.4.84.1
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both l
CVE-2024-11053Dec 11, 2024
affected < 7.66.0-150200.4.81.1fixed 7.66.0-150200.4.81.1
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect
CVE-2024-8096Sep 11, 2024
affected < 7.66.0-150200.4.78.1fixed 7.66.0-150200.4.78.1
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports
CVE-2024-7264Jul 31, 2024
affected < 7.66.0-150200.4.75.1fixed 7.66.0-150200.4.75.1
libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer t
CVE-2024-2398Mar 27, 2024
affected < 7.66.0-150200.4.69.1fixed 7.66.0-150200.4.69.1
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated head
CVE-2024-2004Mar 27, 2024
affected < 7.66.0-150200.4.69.1fixed 7.66.0-150200.4.69.1
When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protoc
CVE-2023-46218MedDec 7, 2023
affected < 7.66.0-150200.4.63.1fixed 7.66.0-150200.4.63.1
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this

Page 1 of 2