CVE Catalog

CVE-2026-8924

Unknown
Published: Translated: NVD NIST

Summary

A flaw in curl's cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

Risk Assessment

The organization is at risk of credential or session leakage to unrelated domains, potentially leading to account takeover or confidentiality breaches.

Recommendation

Immediately update curl to a version containing the fix for CVE-2026-8924. Also review configurations of applications using curl for potential cookie abuse.

Original NVD description (English source)

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS