CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against proxyA using Digest auth, a subsequent transfer routed through proxyB erroneously leaks the Proxy-Authorization header intended solely for proxyA.
A vulnerability in curl causes it to incorrectly use another user's password from the .netrc file when a URL with a username (without password) is provided, potentially leading to credential confusion.
A double-free vulnerability has been found in the curl library's SASL authentication handling. The cleanup logic for the GSASL context may free the same pointer twice, leading to memory corruption.
A flaw in curl's cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
A vulnerability allows reusing an existing live connection for a new transfer using STARTTLS even when the TLS configuration mismatches, potentially leading to unauthorized access or man-in-the-middle attacks.
In IMS, a vulnerability allows out-of-bounds read due to a missing bounds check. This could lead to remote denial of service without requiring additional execution privileges.
A vulnerability in curl causes the tool layer to skip initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS when using a schemeless URL with `--proto-default sftp` (or scp). This results in curl connecting to an unverified SSH remote host without raising an error.
A vulnerability in libcurl causes the Authorization header intended for the original host to be incorrectly forwarded to a different host when reusing a handle for HTTP transfers with Digest authentication.
By default, curl automatically responds to WebSocket PING frames. Due to the lack of an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
A vulnerability in libcurl causes an easy handle that first uses default native CA trust to continue trusting the native platform store after switching to custom CA material for a later transfer. This occurs because libcurl keeps previously used connections in a pool for reuse.
A vulnerability in curl's QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service (DoS) against a curl or libcurl client. The helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, enabling a connected QUIC peer to continuously stream empty datagrams and indefinitely stall the client.
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, subsequently invokes curl_easy_reset(), and finally terminates the handle with curl_easy_cleanup(). During the final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
The Printcart Web to Print Product Designer for WooCommerce plugin up to version 2.5.2 is vulnerable to Arbitrary File Deletion. This is due to insufficient path validation in the store_design_data() function, which constructs a filesystem path from the user-supplied 'nbd_item_key' POST parameter sanitized only with sanitize_text_field() – which does not strip path traversal sequences – and then passes that path directly to Nbdesigner_IO::delete_folder() and PHP's rename().
The AR for WooCommerce plugin for WordPress up to version 8.40 is vulnerable to Directory Traversal via the 'file' parameter. Unauthenticated attackers can read arbitrary files on the server, including sensitive information, because three access controls fail: the AES-256-CBC encryption key is predictable, nonces are generated without authentication, and the Referer check is easily bypassed.
The NEX-Forms plugin for WordPress up to version 9.2.2 is vulnerable to Stored Cross-Site Scripting via the 'real_val__' parameter due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts that execute when users access affected pages.
The AR for WordPress plugin is vulnerable to Directory Traversal in all versions up to and including 8.40 via the 'file' parameter. This allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information.
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS allows an unauthenticated attacker on the same local network segment to execute arbitrary code. Affected versions include 11.0 up to 11.12.4_Update1, 12.0 up to 12.12, and 2025.1 up to 2026.2.
Gardyn devices expose a privileged iothubowner key. Access to this key allows an attacker to invoke an IoTHub Registry Manager function that returns connection information for all Gardyn Home Kit and Studio devices.
A vulnerability in WatchGuard Fireware OS allows bypassing firmware validation when restoring a backup image. An authenticated administrator can exploit this flaw to install a tampered firmware image.
An Out-of-bounds Write vulnerability in the wgagent process of WatchGuard Fireware OS allows an authenticated privileged user to execute arbitrary code via specially crafted requests to the Management Web UI. This affects Fireware OS versions 12.1 up to 12.12 and 2025.1 up to 2026.2.

