Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3115 articles · 171958 vulns · 36/41 feeds (7d)
← Back to list
9.1
CVE-2026-8924
curl · curl

trailing dot domain super cookie

Description

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

Affected Products

VendorProductVersions
curlcurl8.20.0, 8.19.0, 8.18.0, 8.17.0, 8.16.0, 8.15.0, 8.14.1, 8.14.0, 8.13.0, 8.12.1, 8.12.0, 8.11.1, 8.11.0, 8.10.1, 8.10.0, 8.9.1, 8.9.0, 8.8.0, 8.7.1, 8.7.0, 8.6.0, 8.5.0, 8.4.0, 8.3.0, 8.2.1, 8.2.0, 8.1.2, 8.1.1, 8.1.0, 8.0.1, 8.0.0, 7.88.1, 7.88.0, 7.87.0, 7.86.0, 7.85.0, 7.84.0, 7.83.1, 7.83.0, 7.82.0, 7.81.0, 7.80.0, 7.79.1, 7.79.0, 7.78.0, 7.77.0, 7.76.1, 7.76.0, 7.75.0, 7.74.0, 7.73.0, 7.72.0, 7.71.1, 7.71.0, 7.70.0, 7.69.1, 7.69.0, 7.68.0, 7.67.0, 7.66.0, 7.65.3, 7.65.2, 7.65.1, 7.65.0, 7.64.1, 7.64.0, 7.63.0, 7.62.0, 7.61.1, 7.61.0, 7.60.0, 7.59.0, 7.58.0, 7.57.0, 7.56.1, 7.56.0, 7.55.1, 7.55.0, 7.54.1, 7.54.0, 7.53.1, 7.53.0, 7.52.1, 7.52.0, 7.51.0, 7.50.3, 7.50.2, 7.50.1, 7.50.0, 7.49.1, 7.49.0, 7.48.0, 7.47.1, 7.47.0, 7.46.0

References

  • https://curl.se/docs/CVE-2026-8924.json
  • https://curl.se/docs/CVE-2026-8924.html
  • https://hackerone.com/reports/3733905

Related News (3 articles)

Tier A
Microsoft MSRC3h ago
CVE-2026-8924 trailing dot domain super cookie
→ No new info (linked only)
Tier C
VulDB4d ago
CVE-2026-8924 | cURL up to 8.20.0 HTTP insertion of sensitive information into sent data
→ No new info (linked only)
Tier B
BSI Advisories12d ago
[NEU] [mittel] cURL: Mehrere Schwachstellen
→ No new info (linked only)
CVSS 3.19.1 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA KEV❌ No
Actively exploited❌ No
PublishedJul 3, 2026
Last enriched4d agov2
Trending Score68
Source articles3
Independent3
Info Completeness6/14
Missing: cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-8926EXP
password leak with netrc and user in URL
Trending: 77
CRITICALCVE-2026-10536
HTTP/2 stream-dependency tree UAF
Trending: 68
CRITICALCVE-2026-9080EXP
UAF after pause in socket callback
Trending: 60
HIGHCVE-2026-8286
wrong STARTTLS connection reuse
Trending: 58
HIGHCVE-2026-9545
exposing HTTP/3 early data
Trending: 56

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 3, 2026
Discovered by ZDM
Jul 3, 2026
Updated: description, severity
Jul 3, 2026

Version History

v2
Last enriched 4d ago
v2Tier C4d ago

Updated description with new details about the vulnerability and changed severity to HIGH.

descriptionseverity
via VulDB
v14d ago

Initial creation