Haxx Curl
48 CVEs affecting Haxx Curl. Latest disclosed: 2026-05-13. Critical: 3, High: 10.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-8818 | Critical | 9.8 | 2017-11-29 | curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have u… |
CVE-2017-8817 | Critical | 9.8 | 2017-11-29 | The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or… |
CVE-2017-8816 | Critical | 9.8 | 2017-11-29 | The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resul… |
CVE-2022-22576 | High | 8.1 | 2022-05-26 | An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properl… |
CVE-2016-4802 | High | 7.8 | 2016-06-24 | Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbit… |
CVE-2026-6276 | High | 7.5 | 2026-05-13 | Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without… |
CVE-2026-5773 | High | 7.5 | 2026-05-13 | libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests… |
CVE-2025-9086 | High | 7.5 | 2025-09-12 | 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostnam… |
CVE-2022-27782 | High | 7.5 | 2022-06-02 | libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previ… |
CVE-2022-27781 | High | 7.5 | 2022-06-02 | libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous fu… |
CVE-2022-27775 | High | 7.5 | 2022-06-02 | An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a… |
CVE-2021-22926 | High | 7.5 | 2021-08-05 | libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with th… |
CVE-2016-0755 | High | 7.3 | 2016-01-29 | The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote att… |
CVE-2026-5545 | Medium | 6.5 | 2026-05-13 | libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both… |
CVE-2026-3784 | Medium | 6.5 | 2026-03-11 | curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. Th… |
CVE-2023-46218 | Medium | 6.5 | 2023-12-07 | This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. T… |
CVE-2017-1000101 | Medium | 6.5 | 2017-10-05 | curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the… |
CVE-2026-6253 | Medium | 5.9 | 2026-05-13 | curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to u… |
CVE-2026-4873 | Medium | 5.9 | 2026-05-13 | A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial tran… |
CVE-2022-27774 | Medium | 5.7 | 2022-06-02 | An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract creden… |