curl / Docs / Vulnerability table / 8.19.0 vulnerabilities

Vulnerabilities in curl 8.19.0

curl version 8.19.0 was released on March 11 2026

It has the following 26 published security problems.

Flaw	From version	To and including
proto-default skips SSH verification	7.81.0	8.20.0
cross-origin Digest auth state leak	7.10.6	8.20.0
WS Auto-PONG memory exhaustion	8.16.0	8.20.0
Native CA trust persist	8.17.0	8.20.0
QUIC zero-length UDP datagrams busy-loop	8.18.0	8.20.0
HTTP/2 stream-dependency tree UAF	7.88.0	8.20.0
SSH improper host validation	7.69.0	8.20.0
sending old referer	8.18.0	8.20.0
exposing HTTP/3 early data	8.11.0	8.20.0
UAF after pause in socket callback	8.13.0	8.20.0
stale proxy password leak	8.8.0	8.20.0
incomplete mTLS config matching in conn reuse	7.7	8.20.0
env-set cross-proxy Digest auth state leak	7.12.0	8.20.0
password leak with netrc and user in URL	8.11.1	8.20.0
SASL double-free	8.15.0	8.20.0
trailing dot domain super cookie	7.46.0	8.20.0
wrong reuse for different services	7.43.0	8.20.0
wrong STARTTLS connection reuse	7.30.0	8.20.0
cross-proxy Digest auth state leak	7.12.0	8.19.0
OCSP stapling bypass with Apple SecTrust	8.17.0	8.19.0
netrc credential leak with reused proxy connection	7.14.0	8.19.0
stale custom cookie host causes cookie leak	7.71.0	8.19.0
proxy credentials leak over redirect-to proxy	7.14.1	8.19.0
wrong reuse of SMB connection	7.40.0	8.19.0
wrong reuse of HTTP Negotiate connection	7.10.6	8.19.0
connection reuse ignores TLS requirement	7.20.0	8.19.0

Further details

CVE data for 8.19.0 provided as JSON.