Haxx Haxx Org behind the curl project, with curl lead developer Daniel Stenberg

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Haxx product.

RSS Feeds for Haxx security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Haxx products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Haxx Sorted by Most Security Vulnerabilities since 2018

Haxx Curl128 vulnerabilities

Haxx Libcurl29 vulnerabilities

By the Year

In 2026 there have been 36 vulnerabilities in Haxx with an average score of 7.1 out of ten. Last year, in 2025 Haxx had 9 security vulnerabilities published. That is, 27 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.09.




Year Vulnerabilities Average Score
2026 36 7.11
2025 9 6.03
2024 12 5.51
2023 21 6.81
2022 20 6.88
2021 13 5.87
2020 6 6.33
2019 7 7.78
2018 19 8.96

It may take a day or so for new Haxx vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Haxx Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-9547 Jul 03, 2026
libcurl SSH Key Type Mismatch Allows Silent MITM via CURLOPT_SSH_KEYFUNCTION When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.
Curl
CVE-2026-9546 Jul 03, 2026
libcurl : Referer Header Persists After NULL Clearing (CVE-2026-9546) A vulnerability in libcurl caused the HTTP `Referer:` header to persist even when explicitly cleared. While the documentation states that passing NULL to `CURLOPT_REFERER` suppresses the header, the option failed to clear the internal state. As a result the previous referrer string was erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers.
Curl
CVE-2026-9545 Jul 03, 2026
libcurl HTTP/3 session resumption EarlyData info leak In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.
Curl
CVE-2026-9080 Jul 03, 2026
libcurl UAF via curl_easy_pause() in SOCKETFUNCTION Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.
Curl
CVE-2026-9079 Jul 03, 2026
Privilege Esc Escalation: libcurl Fails to Clear Proxy Auth Credentials libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.
Curl
CVE-2026-8932 Jul 03, 2026
libcurl mTLS cert mismatch causes insecure connection reuse libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.
Curl
CVE-2026-8927 Jul 03, 2026
libcurl: Proxy Auth Leakage on Reused Handles When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.
Curl
CVE-2026-8926 Jul 03, 2026
curl Credential Inference via .netrc/Username Mismatch When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.
Curl
CVE-2026-8925 Jul 03, 2026
cURL doublefree via GSASL context cleanup bug The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.
Curl
CVE-2026-8924 Jul 03, 2026
Curl Cookie Parsing Vulnerability: Super Cookies Bypass PSL A flaw in curls cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
Curl
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.