Vulnerability in Curl

CVE-2026-9547

When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type…

Affected products

  • Curl — versions 8.20.0, 8.19.0, 8.18.0

References