CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-9080
Unknown

Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability. libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.

CVE-2026-9079
Unknown

A flaw in libcurl caused the command to clear proxy authentication credentials to fail, leaving old credentials in memory. These credentials were then reused in subsequent transfers that should not have had access to them.

CVE-2026-8932
Unknown

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. Specifically, settings related to the private key were left out from the configuration match checks.

CVE-2026-8927
Unknown

A vulnerability in libcurl causes the proxy authentication state not to be cleared between requests when reusing a handle for sequential transfers with environment-variable proxy configuration. This can leak the Proxy-Authorization header intended for one proxy to another.

CVE-2026-8926
Unknown

A vulnerability in curl causes it to incorrectly use the password of another user from the .netrc file when a URL with a username (without password) is provided, potentially leading to credential confusion.

CVE-2026-8925
Unknown

A double-free vulnerability has been found in the curl library's SASL authentication mechanism. The bug causes the GSASL context to be cleaned up twice without clearing the pointer, resulting in free() being called on the same memory region.

CVE-2026-8924
Unknown

A flaw in curl's cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

CVE-2026-8458
Unknown

The libcurl library may in some circumstances reuse the wrong connection when asked to perform Negotiate-authenticated requests, even when they are configured for different services. A logical error in the connection pool management code causes a request to incorrectly reuse an existing connection to the same server that was authenticated for different services.

CVE-2026-8286
Unknown

A vulnerability allows reusing an existing live connection for a new transfer using STARTTLS even when the TLS configuration mismatches. This could lead to unauthorized data access or man-in-the-middle attacks.

CVE-2026-4967
High

In IMS, a vulnerability allows out-of-bounds read due to missing bounds check. This could lead to remote denial of service without requiring additional execution privileges.

CVE-2026-12064
Unknown

A vulnerability in curl causes the tool layer to skip initialization of SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS when using a schemeless URL with `--proto-default` sftp (or scp). This results in curl connecting to an unverified SSH remote host without raising an error.

CVE-2026-11856
Unknown

A vulnerability in libcurl causes the Authorization header intended for the original host to be incorrectly forwarded to a different host when reusing a handle for HTTP transfers with Digest authentication. This occurs after a successful transfer to hostA with Digest authentication and then changing the target to hostB.

CVE-2026-11586
Unknown

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.

CVE-2026-11564
Unknown

A vulnerability in libcurl causes an easy handle that first uses default native CA trust to continue trusting the native platform store after switching to custom CA material for a later transfer. This occurs because libcurl reuses previously used connections from a connection pool.

CVE-2026-11352
Unknown

A vulnerability in curl's QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service (DoS) against a curl or libcurl client. The helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, enabling a connected QUIC peer to continuously stream empty datagrams and indefinitely stall the client.

CVE-2026-10536
Unknown

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, subsequently invokes curl_easy_reset(), and finally terminates the handle with curl_easy_cleanup(). During the final cleanup, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

CVE-2026-9725
Critical

The Printcart Web to Print Product Designer for WooCommerce plugin up to version 2.5.2 is vulnerable to arbitrary file deletion. This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter sanitized only with sanitize_text_field() – which does not strip path traversal sequences – and then passes it to Nbdesigner_IO::delete_folder() and PHP's rename().

CVE-2026-9626
Medium

The JSON API User plugin for WordPress up to version 4.1.0 is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the post_comment API endpoint. The post_comment() function lacks proper input sanitization, allowing authenticated attackers with subscriber-level access or higher to inject arbitrary web scripts.

CVE-2026-9180
Medium

The MotoPress Appointment Booking plugin for WordPress up to version 2.4.4 contains an authorization bypass vulnerability via a user-controlled key. Unauthenticated attackers can overwrite customer data (name, email, phone number) in non-confirmed bookings by exploiting a publicly accessible REST endpoint.

CVE-2026-8892
Medium

The CM Business Directory plugin for WordPress up to version 1.5.7 is vulnerable to Stored Cross-Site Scripting via Business Address Meta Fields due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that execute when users visit affected pages.

PreviousPage 11 of 4422Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS