CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

● Live advisory feed

Security Advisory Fusion for CSIRTs, SOCs & Defenders

Security advisories from 24 sources — CISA, CERT-EU, NCSC-UK, BSI, CERT-FR, NCSC-NL, JPCERT/CC, JVN, HKCERT, the Canadian Cyber Centre, NVD, GitHub, Microsoft, Cisco, Fortinet, Palo Alto Networks and more — normalized, translated to English and flagged against the CISA KEV catalog. One global feed for CSIRTs, SOCs and defenders.

Advisories tracked
9,186
Known exploited
1,706
Sources online
24
Last sync
4H AGO
3,808 records · page 35 / 77

CVE-2026-14612: Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a config

Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker who controls or can man-in-the-middle the I

mediumCVSS 4.2CVE-2026-14612nvd2026-07-03

CVE-2026-53478: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special elements used in an O

highCVSS 7.2CVE-2026-53478nvd2026-07-03

CVE-2026-49815: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special Elements used in an O

highCVSS 7.2CVE-2026-49815nvd2026-07-03

CVE-2026-49814: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Improper Neutralization of Special Elements used in an O

highCVSS 7.2CVE-2026-49814nvd2026-07-03

CVE-2026-49813: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special elements used in an O

mediumCVSS 6.7CVE-2026-49813nvd2026-07-03

CVE-2026-14459: Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute pardus-software allows A

Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute pardus-software allows Argument Injection. This issue affects pardus-software: from <= 1.0.4 before 1.0.5.

highpublic exploitCVSS 8.8CVE-2026-14459nvd2026-07-03

CVE-2026-46466: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an use of less trusted source vulnerability. A high privile

lowCVSS 2.7CVE-2026-46466nvd2026-07-03

CVE-2026-46465: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an use of externally-controlled format string vulnerability

mediumCVSS 5.5CVE-2026-46465nvd2026-07-03

CVE-2026-46464: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper link resolution before file access ('Link follo

mediumCVSS 4.9CVE-2026-46464nvd2026-07-03

CVE-2026-46463: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an integer overflow or wraparound vulnerability. An unauthe

mediumCVSS 6.5CVE-2026-46463nvd2026-07-03

CVE-2026-59234: Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calen

Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to

unknownCVE-2026-59234nvd2026-07-03

CVE-2026-56085: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an use of uninitialized resource vulnerability. A low privi

lowCVSS 3.3CVE-2026-56085nvd2026-07-03

CVE-2026-56015: Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length. add() passes the prefix string to the trie builder addPrefixToTrie() wi

Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length. add() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width. addPrefixToTrie() then walks the prefix buffer by pref

criticalCVSS 9.1CVE-2026-56015nvd2026-07-03

CVE-2026-54483: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special elements used in an O

mediumCVSS 6.7CVE-2026-54483nvd2026-07-03

CVE-2026-46730: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an incorrect authorization vulnerability. A high privileged

mediumCVSS 4.2CVE-2026-46730nvd2026-07-03

CVE-2026-46468: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper link resolution before file access ('Link follo

mediumCVSS 4.4CVE-2026-46468nvd2026-07-03

CVE-2026-46467: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an insertion of sensitive information into log file vulnera

mediumCVSS 5.8CVE-2026-46467nvd2026-07-03

CVE-2026-44269: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper link resolution before file access ('link follo

mediumCVSS 4.4CVE-2026-44269nvd2026-07-03

CVE-2026-44268: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an incorrect permission Assignment for critical resource vu

mediumCVSS 4.4CVE-2026-44268nvd2026-07-03

CVE-2026-41124: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Improper limitation of a pathname to a restricted direct

lowCVSS 2.3CVE-2026-41124nvd2026-07-03

CVE-2026-41123: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper access control vulnerability in the RBAC. A low

mediumCVSS 4.3CVE-2026-41123nvd2026-07-03

CVE-2026-26355: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release ver

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special Elements used in an O

mediumCVSS 6.5CVE-2026-26355nvd2026-07-03

CVE-2026-10055: In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging en

In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller. Be

highCVSS 8.5CVE-2026-10055nvd2026-07-03

CVE-2026-10054: In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) with

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connecti

highCVSS 8.8CVE-2026-10054nvd2026-07-03

CVE-2026-5137: The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation

The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a requi

mediumCVSS 4.3CVE-2026-5137nvd2026-07-03

CVE-2026-4322: Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows Reflec

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows Reflected XSS. This issue affects Destekz: through 02062026. NOTE: The vendor was contacted and it was le

mediumCVSS 6.1CVE-2026-4322nvd2026-07-03

CVE-2026-4321: Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows SQL In

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows SQL Injection. This issue affects Destekz: through 02062026. NOTE: The vendor was contacted and it was le

criticalCVSS 9.8CVE-2026-4321nvd2026-07-03

CVE-2026-9756: The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to, and includ

The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for au

mediumCVSS 6.4CVE-2026-9756nvd2026-07-03

CVE-2026-4804: The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering th

The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active

mediumCVSS 6.4CVE-2026-4804nvd2026-07-03

CVE-2026-47896: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library). This issue affects Apache Lucene

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library). This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 through 4.8.0-beta00017. Users are recommended to upgrade to

highCVSS 7.5CVE-2026-47896nvd2026-07-03

CVE-2026-11900: The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-bl

mediumCVSS 4.3CVE-2026-11900nvd2026-07-03

CVE-2026-11778: The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and includin

The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly va

mediumCVSS 5.4CVE-2026-11778nvd2026-07-03

CVE-2026-11398: The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes

mediumCVSS 5.3CVE-2026-11398nvd2026-07-03

CVE-2026-9230: The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due t

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it po

mediumCVSS 4.3CVE-2026-9230nvd2026-07-03

CVE-2026-9148: The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is d

The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor() function, which interpolates the stored

highCVSS 7.2CVE-2026-9148nvd2026-07-03

CVE-2026-8804: Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Aff

unknownCVE-2026-8804nvd2026-07-03

CVE-2026-8351: The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 T

The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'background_text_heading' setting in the render()

mediumCVSS 6.4CVE-2026-8351nvd2026-07-03

CVE-2026-47898: Improper Restriction of XML External Entity Reference vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common library). This issue affects Apache Lucene.Net.Analysis.Common

Improper Restriction of XML External Entity Reference vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common library). This issue affects Apache Lucene.Net.Analysis.Common: from 4.8.0-beta00005 before 4.8.0-beta00018. Users are recommended to upgrade to version 4.8.0-be

criticalCVSS 9.8CVE-2026-47898nvd2026-07-03

CVE-2026-47897: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library). This issue affects Apache Lucene

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library). This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 before 4.8.0-beta00018. Users are recommended to upgrade to v

highCVSS 7.5CVE-2026-47897nvd2026-07-03

CVE-2026-14544: A flaw was found in HPLIP (HP Linux Imaging and Printing Software). This vulnerability, an incomplete fix for CVE-2026-8631, may allow a remote attacker to escalate privileges or a

A flaw was found in HPLIP (HP Linux Imaging and Printing Software). This vulnerability, an incomplete fix for CVE-2026-8631, may allow a remote attacker to escalate privileges or achieve arbitrary code execution. This can occur through an integer overflow in the hpcups processing

criticalCVSS 9.8CVE-2026-14544nvd2026-07-03

CVE-2026-9547: When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This

When a libcurl-based application performs transfers via SCP:// or SFTP:// and utilizes the CURLOPT_SSH_KEYFUNCTION callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type alre

highCVSS 7.4CVE-2026-9547nvd2026-07-03

CVE-2026-9546: A vulnerability in libcurl caused the HTTP `Referer:` header to persist even when explicitly cleared. While the documentation states that passing NULL to `CURLOPT_REFERER` suppress

A vulnerability in libcurl caused the HTTP Referer: header to persist even when explicitly cleared. While the documentation states that passing NULL to CURLOPT_REFERER suppresses the header, the option failed to clear the internal state. As a result the previous referrer string w

highCVSS 7.5CVE-2026-9546nvd2026-07-03

CVE-2026-9545: In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's i

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time

highCVSS 7.5CVE-2026-9545nvd2026-07-03

CVE-2026-8932: libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used con

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. Ho

highpublic exploitCVSS 7.5CVE-2026-8932nvd2026-07-03
← NewerOlder →