Docs Overview
Project
Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Known Risks Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Verify Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / Vulnerability table / 8.15.0 vulnerabilities

Vulnerabilities in curl 8.15.0

Related:
Audits
Changelog
curl CVEs
Vulnerability Disclosure
Vulnerabilities Table

curl version 8.15.0 was released on July 16 2025

It has the following 34 published security problems.

SFlawFirstLast
LCVE-2026-12064: proto-default skips SSH verification7.81.08.20.0
MCVE-2026-11856: cross-origin Digest auth state leak7.10.68.20.0
LCVE-2026-10536: HTTP/2 stream-dependency tree UAF7.88.08.20.0
LCVE-2026-9547: SSH improper host validation7.69.08.20.0
LCVE-2026-9545: exposing HTTP/3 early data8.11.08.20.0
LCVE-2026-9080: UAF after pause in socket callback8.13.08.20.0
MCVE-2026-9079: stale proxy password leak8.8.08.20.0
LCVE-2026-8932: incomplete mTLS config matching in conn reuse7.78.20.0
MCVE-2026-8927: env-set cross-proxy Digest auth state leak7.12.08.20.0
LCVE-2026-8926: password leak with netrc and user in URL8.11.18.20.0
MCVE-2026-8925: SASL double-free8.15.08.20.0
LCVE-2026-8924: trailing dot domain super cookie7.46.08.20.0
LCVE-2026-8458: wrong reuse for different services7.43.08.20.0
LCVE-2026-8286: wrong STARTTLS connection reuse7.30.08.20.0
MCVE-2026-7168: cross-proxy Digest auth state leak7.12.08.19.0
MCVE-2026-6429: netrc credential leak with reused proxy connection7.14.08.19.0
LCVE-2026-6276: stale custom cookie host causes cookie leak7.71.08.19.0
MCVE-2026-6253: proxy credentials leak over redirect-to proxy7.14.18.19.0
LCVE-2026-5773: wrong reuse of SMB connection7.40.08.19.0
MCVE-2026-5545: wrong reuse of HTTP Negotiate connection7.10.68.19.0
LCVE-2026-4873: connection reuse ignores TLS requirement7.20.08.19.0
MCVE-2026-3805: use after free in SMB connection reuse8.13.08.18.0
LCVE-2026-3784: wrong proxy connection reuse with credentials7.78.18.0
MCVE-2026-3783: token leak with redirect and netrc7.33.08.18.0
MCVE-2026-1965: bad reuse of HTTP Negotiate connection7.10.68.18.0
LCVE-2025-15224: libssh key passphrase bypass without agent set7.58.08.17.0
LCVE-2025-15079: libssh global known_hosts override7.58.08.17.0
LCVE-2025-14819: OpenSSL partial chain store policy bypass7.87.08.17.0
LCVE-2025-14524: bearer token leak on cross-protocol redirect7.33.08.17.0
MCVE-2025-14017: broken TLS options for threaded LDAPS7.17.08.17.0
MCVE-2025-13034: No QUIC certificate pinning with GnuTLS8.8.08.17.0
LCVE-2025-10966: missing SFTP host verification with wolfSSH7.69.08.16.0
LCVE-2025-10148: predictable WebSocket mask8.11.08.15.0
LCVE-2025-9086: Out of bounds read for cookie path8.13.08.15.0

Further details

CVE data for 8.15.0 provided as JSON.

Changelog for curl 8.15.0

See vulnerability summary for the previous release: 8.14.1 or the subsequent release: 8.16.0