CVE-2026-8924
UnknownSummary
A flaw in curl's cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
Risk Assessment
The organization is at risk of credential or session leakage to unrelated domains, potentially leading to account takeover or confidentiality breaches.
Recommendation
Immediately update curl to a version containing the fix for CVE-2026-8924. Also review configurations of applications using curl for potential cookie abuse.
Original NVD description (English source)
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

