CVE-2026-8924
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
View on NVDAnalysis
A critical vulnerability in curl's cookie parsing logic allows malicious servers to bypass Public Suffix List restrictions. Attackers can inject 'super cookies' that curl will then transmit to unrelated third-party domains, potentially leading to session hijacking or sensitive data exposure across the web.
Relevant roles
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NEPSS
Technical description
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.