Insertion of Sensitive Information Into Sent Data in cURL - CVE-2026-8924
Published: June 24, 2026
Vulnerability identifier: #VU135082
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-8924
CWE-ID: CWE-201
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: curl.haxx.se
Affected software:
cURL
cURL
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper cookie domain validation in cookie parsing logic when processing a cookie with a trailing-dot domain for a trailing-dot hostname. A remote attacker can send a specially crafted HTTP response that sets a super cookie to disclose sensitive information.
This issue is exploitable through both libcurl and the curl command line tool, and it bypasses the Public Suffix List check.
How to mitigate CVE-2026-8924
Install security update from vendor's website.