CURL-CVE-2026-8924

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-8924.html

Import Source

https://curl.se/docs/CURL-CVE-2026-8924.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-8924

Aliases

CVE-2026-8924

Published

2026-06-24T08:00:00Z

Modified

2026-06-24T14:05:44.421880Z

Summary

trailing dot domain super cookie

Details

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set "super cookies" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

Database specific

{
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2026-8924.json",
    "last_affected": "8.20.0",
    "issue": "https://hackerone.com/reports/3733905",
    "affects": "both",
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2026-8924.html",
    "CWE": {
        "desc": "Information Exposure Through Sent Data",
        "id": "CWE-201"
    }
}

References

Credits

- vegagent on hackerone - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.46.0

Fixed

8.21.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

e77b5b7453c1e8ccd7ec0816890d98e2f392e465

Fixed

51beed175dbfc37da3113f6acce60c630c070ce8

Affected versions

7.*

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

7.77.0

7.78.0

7.79.0

7.79.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

8.19.0

8.2.0

8.2.1

8.20.0

8.3.0

8.4.0

8.5.0

8.6.0

8.7.0

8.7.1

8.8.0

8.9.0

8.9.1

Other

curl-7_46_0

curl-7_47_0

curl-7_47_1

curl-7_48_0

curl-7_49_0

curl-7_49_1

curl-7_50_0

curl-7_50_1

curl-7_50_2

curl-7_50_3

curl-7_51_0

curl-7_52_0

curl-7_52_1

curl-7_53_0

curl-7_53_1

curl-7_54_0

curl-7_54_1

curl-7_55_0

curl-7_55_1

curl-7_56_0

curl-7_56_1

curl-7_57_0

curl-7_58_0

curl-7_59_0

curl-7_60_0

curl-7_61_0

curl-7_61_1

curl-7_62_0

curl-7_63_0

curl-7_64_0

curl-7_64_1

curl-7_65_0

curl-7_65_1

curl-7_65_2

curl-7_65_3

curl-7_66_0

curl-7_67_0

curl-7_68_0

curl-7_69_0

curl-7_69_1

curl-7_70_0

curl-7_71_0

curl-7_71_1

curl-7_72_0

curl-7_73_0

curl-7_74_0

curl-7_75_0

curl-7_76_0

curl-7_76_1

curl-7_77_0

curl-7_78_0

curl-7_79_0

curl-7_79_1

curl-7_80_0

curl-7_81_0

curl-7_82_0

curl-7_83_0

curl-7_83_1

curl-7_84_0

curl-7_85_0

curl-7_86_0

curl-7_87_0

curl-7_88_0

curl-7_88_1

curl-8_0_0

curl-8_0_1

curl-8_10_0

curl-8_10_1

curl-8_11_0

curl-8_11_1

curl-8_12_0

curl-8_12_1

curl-8_13_0

curl-8_14_0

curl-8_14_1

curl-8_15_0

curl-8_16_0

curl-8_17_0

curl-8_18_0

curl-8_19_0

curl-8_1_0

curl-8_1_1

curl-8_1_2

curl-8_20_0

curl-8_2_0

curl-8_2_1

curl-8_3_0

curl-8_4_0

curl-8_5_0

curl-8_6_0

curl-8_7_0

curl-8_7_1

curl-8_8_0

curl-8_9_0

curl-8_9_1

rc-8_18_0-1

rc-8_18_0-2

rc-8_18_0-3

rc-8_19_0-1

rc-8_19_0-2

rc-8_19_0-3

rc-8_20_0-1

rc-8_20_0-2

rc-8_20_0-3

tiny-curl-7_72_0

tiny-curl-8_4_0

Database specific

source

"https://curl.se/docs/CURL-CVE-2026-8924.json"

vanir_signatures_modified

"2026-06-24T14:05:44Z"

vanir_signatures

[
    {
        "target": {
            "file": "lib/cookie.c",
            "function": "is_public_suffix"
        },
        "id": "CURL-CVE-2026-8924-2522c436",
        "source": "https://github.com/curl/curl.git/commit/51beed175dbfc37da3113f6acce60c630c070ce8",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1169.0,
            "function_hash": "335131051994932031989893635630674715587"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/cookie.c"
        },
        "id": "CURL-CVE-2026-8924-ddd759ad",
        "source": "https://github.com/curl/curl.git/commit/51beed175dbfc37da3113f6acce60c630c070ce8",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "169337999188256190714791795318413023466",
                "83941563893831075434737957461444023007",
                "290656883257034455718269047425596961497",
                "128239869894127245898894739649854696868",
                "284134061910249587225395334356655932742",
                "274688375762767551377970585583374821277",
                "151327342236776251830642709660831085730",
                "199459904939080377542151089627839573826",
                "109306483060873899948608905735302233218"
            ]
        },
        "signature_version": "v1"
    }
]