Filtered by vendor Haxx
Subscribe
Total
182 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-8621 | 1 Haxx | 1 Curl | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short. | |||||
| CVE-2016-8620 | 1 Haxx | 1 Curl | 2026-06-17 | 7.5 HIGH | 6.5 MEDIUM |
| The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input. | |||||
| CVE-2016-8619 | 1 Haxx | 1 Curl | 2026-06-17 | 7.5 HIGH | 5.3 MEDIUM |
| The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free. | |||||
| CVE-2016-8618 | 1 Haxx | 1 Curl | 2026-06-17 | 7.5 HIGH | 5.3 MEDIUM |
| The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. | |||||
| CVE-2016-8617 | 1 Haxx | 1 Curl | 2026-06-17 | 4.4 MEDIUM | 3.3 LOW |
| The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`. | |||||
| CVE-2016-8616 | 1 Haxx | 1 Curl | 2026-06-17 | 4.3 MEDIUM | 3.7 LOW |
| A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. | |||||
| CVE-2016-8615 | 1 Haxx | 1 Curl | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. | |||||
| CVE-2016-7167 | 2 Fedoraproject, Haxx | 2 Fedora, Libcurl | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. | |||||
| CVE-2016-7141 | 2 Haxx, Opensuse | 2 Libcurl, Leap | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. | |||||
| CVE-2016-5421 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2026-06-17 | 6.8 MEDIUM | 8.1 HIGH |
| Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors. | |||||
| CVE-2016-5420 | 3 Debian, Haxx, Opensuse | 3 Debian Linux, Libcurl, Leap | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. | |||||
| CVE-2016-5419 | 3 Debian, Haxx, Opensuse | 3 Debian Linux, Libcurl, Leap | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. | |||||
| CVE-2016-4802 | 1 Haxx | 1 Curl | 2026-06-17 | 6.9 MEDIUM | 7.8 HIGH |
| Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory. | |||||
| CVE-2016-4606 | 2 Apple, Haxx | 2 Mac Os X, Curl | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks. | |||||
| CVE-2016-3739 | 1 Haxx | 1 Curl | 2026-06-17 | 2.6 LOW | 5.3 MEDIUM |
| The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate. | |||||
| CVE-2016-0755 | 3 Canonical, Debian, Haxx | 3 Ubuntu Linux, Debian Linux, Curl | 2026-06-17 | 5.0 MEDIUM | 7.3 HIGH |
| The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015. | |||||
| CVE-2016-0754 | 2 Haxx, Microsoft | 2 Curl, Windows | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name. | |||||
| CVE-2015-3237 | 3 Haxx, Hp, Oracle | 5 Curl, Libcurl, System Management Homepage and 2 more | 2026-06-17 | 6.4 MEDIUM | N/A |
| The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values. | |||||
| CVE-2015-3236 | 1 Haxx | 2 Curl, Libcurl | 2026-06-17 | 5.0 MEDIUM | N/A |
| cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors. | |||||
| CVE-2015-3153 | 5 Apple, Canonical, Debian and 2 more | 6 Mac Os X, Ubuntu Linux, Debian Linux and 3 more | 2026-06-17 | 5.0 MEDIUM | N/A |
| The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents. | |||||