CVE-2026-6276: Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without…

CVE-2026-4873 curl vulnerabilities Title: curl vulnerabilities Summary: curl could be made to expose sensitive information over the network. It was discovered that curl incorrectly reused non-TLS connections when TLS was required in some STARTTLS configurations. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-4873) It was discovered that curl incorrectly reused certain HTTP Negotiate connections. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-5545) It was discovered that curl incorrectly reused certain SMB connections. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-5773) It was discovered that curl could leak proxy credentials when handling redirects in some configurations. A remote attacke

CVE-2026-6276 [LOW] CWE-346 curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers A flaw was found in libcurl. This vulnerability allows for information disclosure when a custom `Host:` header is used in an initial HTTP request, and a subsequent request reuses the same connection without specifying a new `Host:` header. This can lead to libcurl incorrectly sending cookies intended for the first host to the second host, resulting in a cookie leak. This issue is categorized as an Origin Validation Error (CWE-346). Exploitation typically requires specific debugging configurations. Statement: This Low severity flaw affects libcurl when a custom `Host:` header is initially set for an HTTP request, and a subsequent request uses the same easy handle without a custom `Ho

CVE-2026-6276 [HIGH] CWE-319 GHSA-2jc6-hc33-hv48: Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* bu Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.

CVE-2026-6276 [LOW] CVE-2026-6276 curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers CVE-2026-6276 curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers A flaw was found in libcurl. This vulnerability allows for information disclosure when a custom `Host:` header is used in an initial HTTP request, and a subsequent request reuses the same connection without specifying a new `Host:` header. In such a scenario, libcurl may incorrectly send cookies intended for the first host to the second host, leading to a cookie leak. This issue is an Origin Validation Error (CWE-346).