Description
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
References (3)
Core 3
Core References
Scores
CVSS v3
9.1
EPSS
0.0065
EPSS Percentile
46.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
Status
published
Products (50)
curl/curl
7.46.0
curl/curl
7.47.0
curl/curl
7.47.1
curl/curl
7.48.0
curl/curl
7.49.0
curl/curl
7.49.1
curl/curl
7.50.0
curl/curl
7.50.1
curl/curl
7.50.2
curl/curl
7.50.3
... and 40 more
Published
Jul 03, 2026
Tracked Since
Jul 03, 2026