Vulnerability in Curl

CVE-2026-9545

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcur…

Affected products

  • Curl — versions 8.20.0, 8.19.0, 8.18.0

References