Vendor CVEs
Curl
All CVEs
184 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-8624 | Med | 0.35 | 5.3 | 0.06 | Jul 31, 2018 | curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser… | ||
| CVE-2017-9502 | Med | 0.35 | 5.3 | 0.03 | Jun 14, 2017 | In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based… | ||
| CVE-2016-3739 | Med | 0.35 | 5.3 | 0.06 | May 20, 2016 | The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof… | ||
| CVE-2016-0754 | Med | 0.35 | 5.3 | 0.01 | Jan 29, 2016 | cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name. | ||
| CVE-2023-46219 | Med | 0.34 | 5.3 | 0.01 | Dec 12, 2023 | When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. | ||
| CVE-2026-6253 | Med | 0.31 | 5.9 | 0.01 | May 13, 2026 | curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no… | ||
| CVE-2026-4873 | Med | 0.31 | 5.9 | 0.00 | May 13, 2026 | A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS… | ||
| CVE-2021-22947 | Med | 0.31 | 5.9 | 0.03 | Sep 29, 2021 | When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached… | ||
| CVE-2016-8625 | Med | 0.28 | 5.3 | 0.04 | Aug 1, 2018 | curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host. | ||
| CVE-2016-8619 | Med | 0.28 | 5.3 | 0.05 | Aug 1, 2018 | The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free. | ||
| CVE-2016-8618 | Med | 0.28 | 5.3 | 0.05 | Jul 31, 2018 | The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. | ||
| CVE-2017-2629 | Med | 0.28 | 4.3 | 0.01 | Jul 27, 2018 | curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none… | ||
| CVE-2026-7168 | Med | 0.27 | 5.3 | 0.00 | May 13, 2026 | Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:`… | ||
| CVE-2026-7009 | Med | 0.27 | 5.3 | 0.00 | May 13, 2026 | When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine. | ||
| CVE-2026-6429 | Med | 0.27 | 5.3 | 0.01 | May 13, 2026 | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. | ||
| CVE-2021-22925 | Med | 0.27 | 5.3 | 0.05 | Aug 5, 2021 | curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized… | ||
| CVE-2023-38546 | Low | 0.24 | 3.7 | 0.06 | Oct 18, 2023 | This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. … | ||
| CVE-2020-8284 | Low | 0.24 | 3.7 | 0.04 | Dec 14, 2020 | A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port… | ||
| CVE-2016-8622 | Low | 0.24 | 3.7 | 0.05 | Jul 31, 2018 | The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus… | ||
| CVE-2016-8623 | Low | 0.22 | 3.3 | 0.03 | Aug 1, 2018 | A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure. | ||
| CVE-2025-10966 | Med | 0.21 | 4.3 | 0.00 | Nov 7, 2025 | curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more. | ||
| CVE-2016-8617 | Low | 0.21 | 3.3 | 0.01 | Jul 31, 2018 | The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`. | ||
| CVE-2016-8616 | Low | 0.17 | 3.7 | 0.03 | Aug 1, 2018 | A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has… | ||
| CVE-2021-22898 | Low | 0.13 | 3.1 | 0.04 | Jun 11, 2021 | curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl… | ||
| CVE-2017-7407 | Low | 0.09 | 2.4 | 0.01 | Apr 3, 2017 | The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%'… | ||
| CVE-2011-3389 | 0.09 | — | 0.73 | Sep 6, 2011 | The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to… | |||
| CVE-2021-22901 | 0.05 | — | 0.60 | Jun 11, 2021 | curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code… | |||
| CVE-2013-0249 | 0.05 | — | 0.23 | Mar 8, 2013 | Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute… | |||
| CVE-2009-0037 | 0.04 | — | 0.08 | Mar 5, 2009 | The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via… | |||
| CVE-2015-3145 | 0.03 | — | 0.38 | Apr 24, 2015 | The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing… | |||
| CVE-2023-38039 | 0.01 | — | 0.62 | Sep 15, 2023 | When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an… | |||
| CVE-2019-3822 | 0.01 | — | 0.13 | Feb 6, 2019 | libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received… | |||
| CVE-2018-0500 | Cri | 0.01 | 9.8 | 0.06 | Jul 11, 2018 | Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument… | ||
| CVE-2015-3237 | 0.01 | — | 0.09 | Jun 22, 2015 | The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values. | |||
| CVE-2015-3236 | 0.01 | — | 0.08 | Jun 22, 2015 | cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via… | |||
| CVE-2015-3153 | 0.01 | — | 0.08 | May 1, 2015 | The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents. | |||
| CVE-2015-3148 | 0.01 | — | 0.18 | Apr 24, 2015 | cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. | |||
| CVE-2015-3144 | 0.01 | — | 0.11 | Apr 24, 2015 | The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as… | |||
| CVE-2015-3143 | 0.01 | — | 0.16 | Apr 24, 2015 | cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015. | |||
| CVE-2014-8150 | 0.01 | — | 0.07 | Jan 15, 2015 | CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. | |||
| CVE-2014-3613 | 0.01 | — | 0.07 | Nov 18, 2014 | cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. | |||
| CVE-2026-3805 | 0.00 | — | 0.01 | Mar 11, 2026 | When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. | |||
| CVE-2026-3783 | 0.00 | — | 0.00 | Mar 11, 2026 | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used… | |||
| CVE-2026-1965 | 0.00 | — | 0.00 | Mar 11, 2026 | libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a… | |||
| CVE-2025-11563 | 0.00 | — | 0.00 | Feb 25, 2026 | URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. | |||
| CVE-2025-15224 | 0.00 | — | 0.00 | Jan 8, 2026 | When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. | |||
| CVE-2025-15079 | 0.00 | — | 0.00 | Jan 8, 2026 | When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. | |||
| CVE-2025-14819 | 0.00 | — | 0.01 | Jan 8, 2026 | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations.… | |||
| CVE-2025-14524 | 0.00 | — | 0.01 | Jan 8, 2026 | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | |||
| CVE-2025-14017 | 0.00 | — | 0.00 | Jan 8, 2026 | When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer… |
- risk 0.35cvss 5.3epss 0.06
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser…
- risk 0.35cvss 5.3epss 0.03
In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based…
- risk 0.35cvss 5.3epss 0.06
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof…
- risk 0.35cvss 5.3epss 0.01
cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.
- risk 0.34cvss 5.3epss 0.01
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
- risk 0.31cvss 5.9epss 0.01
curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no…
- risk 0.31cvss 5.9epss 0.00
A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS…
- risk 0.31cvss 5.9epss 0.03
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached…
- risk 0.28cvss 5.3epss 0.04
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
- risk 0.28cvss 5.3epss 0.05
The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.
- risk 0.28cvss 5.3epss 0.05
The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.
- risk 0.28cvss 4.3epss 0.01
curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none…
- risk 0.27cvss 5.3epss 0.00
Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:`…
- risk 0.27cvss 5.3epss 0.00
When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.
- risk 0.27cvss 5.3epss 0.01
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.
- risk 0.27cvss 5.3epss 0.05
curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized…
- risk 0.24cvss 3.7epss 0.06
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. …
- risk 0.24cvss 3.7epss 0.04
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port…
- risk 0.24cvss 3.7epss 0.05
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus…
- risk 0.22cvss 3.3epss 0.03
A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.
- risk 0.21cvss 4.3epss 0.00
curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.
- risk 0.21cvss 3.3epss 0.01
The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.
- risk 0.17cvss 3.7epss 0.03
A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has…
- risk 0.13cvss 3.1epss 0.04
curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl…
- risk 0.09cvss 2.4epss 0.01
The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%'…
- CVE-2011-3389Sep 6, 2011risk 0.09cvss —epss 0.73
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to…
- CVE-2021-22901Jun 11, 2021risk 0.05cvss —epss 0.60
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code…
- CVE-2013-0249Mar 8, 2013risk 0.05cvss —epss 0.23
Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute…
- CVE-2009-0037Mar 5, 2009risk 0.04cvss —epss 0.08
The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via…
- CVE-2015-3145Apr 24, 2015risk 0.03cvss —epss 0.38
The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing…
- CVE-2023-38039Sep 15, 2023risk 0.01cvss —epss 0.62
When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an…
- CVE-2019-3822Feb 6, 2019risk 0.01cvss —epss 0.13
libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received…
- risk 0.01cvss 9.8epss 0.06
Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument…
- CVE-2015-3237Jun 22, 2015risk 0.01cvss —epss 0.09
The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.
- CVE-2015-3236Jun 22, 2015risk 0.01cvss —epss 0.08
cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via…
- CVE-2015-3153May 1, 2015risk 0.01cvss —epss 0.08
The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
- CVE-2015-3148Apr 24, 2015risk 0.01cvss —epss 0.18
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
- CVE-2015-3144Apr 24, 2015risk 0.01cvss —epss 0.11
The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as…
- CVE-2015-3143Apr 24, 2015risk 0.01cvss —epss 0.16
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.
- CVE-2014-8150Jan 15, 2015risk 0.01cvss —epss 0.07
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
- CVE-2014-3613Nov 18, 2014risk 0.01cvss —epss 0.07
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
- CVE-2026-3805Mar 11, 2026risk 0.00cvss —epss 0.01
When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.
- CVE-2026-3783Mar 11, 2026risk 0.00cvss —epss 0.00
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used…
- CVE-2026-1965Mar 11, 2026risk 0.00cvss —epss 0.00
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a…
- CVE-2025-11563Feb 25, 2026risk 0.00cvss —epss 0.00
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
- CVE-2025-15224Jan 8, 2026risk 0.00cvss —epss 0.00
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.
- CVE-2025-15079Jan 8, 2026risk 0.00cvss —epss 0.00
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
- CVE-2025-14819Jan 8, 2026risk 0.00cvss —epss 0.01
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations.…
- CVE-2025-14524Jan 8, 2026risk 0.00cvss —epss 0.01
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
- CVE-2025-14017Jan 8, 2026risk 0.00cvss —epss 0.00
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer…
Page 2 of 4