Cookie Parsing Flaw in Curl Affects Multiple Domains
CVE-2026-8924

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-8924?

A vulnerability exists within the cookie parsing logic of Curl, which enables a malicious HTTP server to create 'super cookies'. This flaw circumvents the Public Suffix List check, allowing an attacker to inject cookies that Curl mistakenly associates with unrelated third-party domains. This could lead to unauthorized data sharing and potential exposure of sensitive information to untrustworthy sources.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

vegagent on hackerone
Daniel Stenberg
.