CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability. libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.
A flaw in libcurl caused the command to clear proxy authentication credentials to fail, leaving old credentials in memory. These credentials were then reused in subsequent transfers that should not have had access to them.
libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. Specifically, settings related to the private key were left out from the configuration match checks.
A vulnerability in libcurl causes the proxy authentication state not to be cleared between requests when reusing a handle for sequential transfers with environment-variable proxy configuration. This can leak the Proxy-Authorization header intended for one proxy to another.
A vulnerability in curl causes it to incorrectly use the password of another user from the .netrc file when a URL with a username (without password) is provided, potentially leading to credential confusion.
A double-free vulnerability has been found in the curl library's SASL authentication mechanism. The bug causes the GSASL context to be cleaned up twice without clearing the pointer, resulting in free() being called on the same memory region.
A flaw in curl's cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
The libcurl library may in some circumstances reuse the wrong connection when asked to perform Negotiate-authenticated requests, even when they are configured for different services. A logical error in the connection pool management code causes a request to incorrectly reuse an existing connection to the same server that was authenticated for different services.
A vulnerability allows reusing an existing live connection for a new transfer using STARTTLS even when the TLS configuration mismatches. This could lead to unauthorized data access or man-in-the-middle attacks.
In IMS, a vulnerability allows out-of-bounds read due to missing bounds check. This could lead to remote denial of service without requiring additional execution privileges.
A vulnerability in curl causes the tool layer to skip initialization of SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS when using a schemeless URL with `--proto-default` sftp (or scp). This results in curl connecting to an unverified SSH remote host without raising an error.
A vulnerability in libcurl causes the Authorization header intended for the original host to be incorrectly forwarded to a different host when reusing a handle for HTTP transfers with Digest authentication. This occurs after a successful transfer to hostA with Digest authentication and then changing the target to hostB.
By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
A vulnerability in libcurl causes an easy handle that first uses default native CA trust to continue trusting the native platform store after switching to custom CA material for a later transfer. This occurs because libcurl reuses previously used connections from a connection pool.
A vulnerability in curl's QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service (DoS) against a curl or libcurl client. The helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, enabling a connected QUIC peer to continuously stream empty datagrams and indefinitely stall the client.
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, subsequently invokes curl_easy_reset(), and finally terminates the handle with curl_easy_cleanup(). During the final cleanup, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
The Printcart Web to Print Product Designer for WooCommerce plugin up to version 2.5.2 is vulnerable to arbitrary file deletion. This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter sanitized only with sanitize_text_field() – which does not strip path traversal sequences – and then passes it to Nbdesigner_IO::delete_folder() and PHP's rename().
The JSON API User plugin for WordPress up to version 4.1.0 is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the post_comment API endpoint. The post_comment() function lacks proper input sanitization, allowing authenticated attackers with subscriber-level access or higher to inject arbitrary web scripts.
The MotoPress Appointment Booking plugin for WordPress up to version 2.4.4 contains an authorization bypass vulnerability via a user-controlled key. Unauthenticated attackers can overwrite customer data (name, email, phone number) in non-confirmed bookings by exploiting a publicly accessible REST endpoint.
The CM Business Directory plugin for WordPress up to version 1.5.7 is vulnerable to Stored Cross-Site Scripting via Business Address Meta Fields due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that execute when users visit affected pages.

