Vulnerability in Curl

CVE-2026-12064

When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initial…

Affected products

  • Curl — versions 8.20.0, 8.19.0, 8.18.0

References