Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3114 articles · 171961 vulns · 36/41 feeds (7d)
← Back to list
8.1
CVE-2026-8286
curl · curl

wrong STARTTLS connection reuse

Description

A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.

Affected Products

VendorProductVersions
curlcurl8.20.0, 8.19.0, 8.18.0, 8.17.0, 8.16.0, 8.15.0, 8.14.1, 8.14.0, 8.13.0, 8.12.1, 8.12.0, 8.11.1, 8.11.0, 8.10.1, 8.10.0, 8.9.1, 8.9.0, 8.8.0, 8.7.1, 8.7.0, 8.6.0, 8.5.0, 8.4.0, 8.3.0, 8.2.1, 8.2.0, 8.1.2, 8.1.1, 8.1.0, 8.0.1, 8.0.0, 7.88.1, 7.88.0, 7.87.0, 7.86.0, 7.85.0, 7.84.0, 7.83.1, 7.83.0, 7.82.0, 7.81.0, 7.80.0, 7.79.1, 7.79.0, 7.78.0, 7.77.0, 7.76.1, 7.76.0, 7.75.0, 7.74.0, 7.73.0, 7.72.0, 7.71.1, 7.71.0, 7.70.0, 7.69.1, 7.69.0, 7.68.0, 7.67.0, 7.66.0, 7.65.3, 7.65.2, 7.65.1, 7.65.0, 7.64.1, 7.64.0, 7.63.0, 7.62.0, 7.61.1, 7.61.0, 7.60.0, 7.59.0, 7.58.0, 7.57.0, 7.56.1, 7.56.0, 7.55.1, 7.55.0, 7.54.1, 7.54.0, 7.53.1, 7.53.0, 7.52.1, 7.52.0, 7.51.0, 7.50.3, 7.50.2, 7.50.1, 7.50.0, 7.49.1, 7.49.0, 7.48.0, 7.47.1, 7.47.0, 7.46.0, 7.45.0, 7.44.0, 7.43.0, 7.42.1, 7.42.0, 7.41.0, 7.40.0, 7.39.0, 7.38.0, 7.37.1, 7.37.0, 7.36.0, 7.35.0, 7.34.0, 7.33.0, 7.32.0, 7.31.0, 7.30.0

References

  • https://curl.se/docs/CVE-2026-8286.json
  • https://curl.se/docs/CVE-2026-8286.html
  • https://hackerone.com/reports/3718195

Related News (4 articles)

Tier A
Microsoft MSRC3h ago
CVE-2026-8286 wrong STARTTLS connection reuse
→ No new info (linked only)
Tier C
VulDB4d ago
CVE-2026-8286 | cURL up to 8.20.0 certificate validation
→ No new info (linked only)
Tier B
BSI Advisories12d ago
[NEU] [mittel] cURL: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
oss-security12d ago
[SECURITY ADVISORIES] for curl 8.21.0
→ No new info (linked only)
CVSS 3.18.1 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA KEV❌ No
Actively exploited❌ No
PublishedJul 3, 2026
Last enriched4d agov2
Trending Score58
Source articles4
Independent4
Info Completeness6/14
Missing: cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-8926EXP
password leak with netrc and user in URL
Trending: 77
CRITICALCVE-2026-10536
HTTP/2 stream-dependency tree UAF
Trending: 68
CRITICALCVE-2026-8924
trailing dot domain super cookie
Trending: 68
CRITICALCVE-2026-9080EXP
UAF after pause in socket callback
Trending: 60
HIGHCVE-2026-9545
exposing HTTP/3 early data
Trending: 56

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 3, 2026
Discovered by ZDM
Jul 3, 2026
Updated: severity
Jul 3, 2026

Version History

v2
Last enriched 4d ago
v2Tier C4d ago

Updated severity to HIGH and confirmed no exploit exists.

severity
via VulDB
v14d ago

Initial creation