Vulnerability Details CVE-2026-8924
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set
'super cookies' that bypass the Public Suffix List check. This enables an
attacker-controlled origin to inject cookies that curl subsequently scopes and
transmits to unrelated third-party domains.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 41.3%
CVSS Severity
CVSS v3 Score 9.1
Products affected by CVE-2026-8924
-
cpe:2.3:a:haxx:curl:7.46.0
-
cpe:2.3:a:haxx:curl:7.47.0
-
cpe:2.3:a:haxx:curl:7.47.1
-
cpe:2.3:a:haxx:curl:7.48.0
-
cpe:2.3:a:haxx:curl:7.49.0
-
cpe:2.3:a:haxx:curl:7.49.1
-
cpe:2.3:a:haxx:curl:7.50.0
-
cpe:2.3:a:haxx:curl:7.50.1
-
cpe:2.3:a:haxx:curl:7.50.2
-
cpe:2.3:a:haxx:curl:7.50.3
-
cpe:2.3:a:haxx:curl:7.51.0
-
cpe:2.3:a:haxx:curl:7.52.0
-
cpe:2.3:a:haxx:curl:7.52.1
-
cpe:2.3:a:haxx:curl:7.53.0
-
cpe:2.3:a:haxx:curl:7.53.1
-
cpe:2.3:a:haxx:curl:7.54.0
-
cpe:2.3:a:haxx:curl:7.54.1
-
cpe:2.3:a:haxx:curl:7.55.0
-
cpe:2.3:a:haxx:curl:7.55.1
-
cpe:2.3:a:haxx:curl:7.56.0
-
cpe:2.3:a:haxx:curl:7.56.1
-
cpe:2.3:a:haxx:curl:7.57.0
-
cpe:2.3:a:haxx:curl:7.58.0
-
cpe:2.3:a:haxx:curl:7.59.0
-
cpe:2.3:a:haxx:curl:7.60.0
-
cpe:2.3:a:haxx:curl:7.61.0
-
cpe:2.3:a:haxx:curl:7.61.1
-
cpe:2.3:a:haxx:curl:7.62.0
-
cpe:2.3:a:haxx:curl:7.63.0
-
cpe:2.3:a:haxx:curl:7.64.0
-
cpe:2.3:a:haxx:curl:7.64.1
-
cpe:2.3:a:haxx:curl:7.65.0
-
cpe:2.3:a:haxx:curl:7.65.1
-
cpe:2.3:a:haxx:curl:7.65.2
-
cpe:2.3:a:haxx:curl:7.65.3
-
cpe:2.3:a:haxx:curl:7.66.0
-
cpe:2.3:a:haxx:curl:7.67.0
-
cpe:2.3:a:haxx:curl:7.68.0
-
cpe:2.3:a:haxx:curl:7.69.0
-
cpe:2.3:a:haxx:curl:7.69.1
-
cpe:2.3:a:haxx:curl:7.70.0
-
cpe:2.3:a:haxx:curl:7.71.0
-
cpe:2.3:a:haxx:curl:7.71.1
-
cpe:2.3:a:haxx:curl:7.72.0
-
cpe:2.3:a:haxx:curl:7.73.0
-
cpe:2.3:a:haxx:curl:7.74.0
-
cpe:2.3:a:haxx:curl:7.75.0
-
cpe:2.3:a:haxx:curl:7.76.0
-
cpe:2.3:a:haxx:curl:7.76.1
-
cpe:2.3:a:haxx:curl:7.77.0
-
cpe:2.3:a:haxx:curl:7.78.0
-
cpe:2.3:a:haxx:curl:7.79.0
-
cpe:2.3:a:haxx:curl:7.79.1
-
cpe:2.3:a:haxx:curl:7.80.0
-
cpe:2.3:a:haxx:curl:7.81.0
-
cpe:2.3:a:haxx:curl:7.82.0
-
cpe:2.3:a:haxx:curl:7.83.0
-
cpe:2.3:a:haxx:curl:7.83.1
-
cpe:2.3:a:haxx:curl:7.84.0
-
cpe:2.3:a:haxx:curl:7.85.0
-
cpe:2.3:a:haxx:curl:7.86.0
-
cpe:2.3:a:haxx:curl:7.87.0
-
cpe:2.3:a:haxx:curl:7.88.0
-
cpe:2.3:a:haxx:curl:7.88.1
-
cpe:2.3:a:haxx:curl:8.0.0
-
cpe:2.3:a:haxx:curl:8.0.1
-
cpe:2.3:a:haxx:curl:8.1.0
-
cpe:2.3:a:haxx:curl:8.1.1
-
cpe:2.3:a:haxx:curl:8.1.2
-
cpe:2.3:a:haxx:curl:8.10.0
-
cpe:2.3:a:haxx:curl:8.10.1
-
cpe:2.3:a:haxx:curl:8.11.0
-
cpe:2.3:a:haxx:curl:8.11.1
-
cpe:2.3:a:haxx:curl:8.12.0
-
cpe:2.3:a:haxx:curl:8.12.1
-
cpe:2.3:a:haxx:curl:8.13.0
-
cpe:2.3:a:haxx:curl:8.14.0
-
cpe:2.3:a:haxx:curl:8.14.1
-
cpe:2.3:a:haxx:curl:8.15.0
-
cpe:2.3:a:haxx:curl:8.16.0
-
cpe:2.3:a:haxx:curl:8.17.0
-
cpe:2.3:a:haxx:curl:8.18.0
-
cpe:2.3:a:haxx:curl:8.2.0
-
cpe:2.3:a:haxx:curl:8.2.1
-
cpe:2.3:a:haxx:curl:8.4.0
-
cpe:2.3:a:haxx:curl:8.5.0
-
cpe:2.3:a:haxx:curl:8.6.0
-
cpe:2.3:a:haxx:curl:8.7.0
-
cpe:2.3:a:haxx:curl:8.7.1
-
cpe:2.3:a:haxx:curl:8.8.0
-
cpe:2.3:a:haxx:curl:8.9.0
-
cpe:2.3:a:haxx:curl:8.9.1