CVE-2026-12064: When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly in
When a user invokes curl using a schemeless URL combined with
--proto-default sftp (or scp), a disconnect occurs between the tool layer
and libcurl. The tool layer incorrectly infers the URL scheme, which
erroneously bypasses the initialization of critical SSH security options like
CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the
libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes
the connection via SFTP/SCP as specified. Because the tool layer skipped the
security configuration, these SSH host verification options are silently
omitted, causing curl to connect to an unverified SSH remote host without
throwing an error.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-12064
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-120640.57% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 43% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-12064 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- medium[UPDATE] [medium] cURL: Multiple vulnerabilitiescert-bund
- unknownUSN-8525-1: curl vulnerabilitiesubuntu
- highCVE-2026-12064: proto-default skips SSH verificationmsrc
- unknownMultiple vulnerabilities in cURL and libcurl (June 24, 2026)cert-fr-avis
Recent advisories for When a user
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…nvd · 2026-07-11
- mediumCVE-2026-8678: The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, …nvd · 2026-07-11
- highCVE-2026-13114: The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to…nvd · 2026-07-11
- mediumCVE-2026-12426: The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensi…nvd · 2026-07-11
- unknownCVE-2026-58503: Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumerat…nvd · 2026-07-10
- unknownCVE-2026-48127: Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without…nvd · 2026-07-10
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11