libcurl wrongly allows HTTP cookies to be set for Top Level Domains (TLDs) if the hostname is provided with a trailing dot.
curl can be told to receive and send cookies when communicating using HTTP(S). curl's "cookie engine" can be built with or without Public Suffix List awareness. If PSL support not provided, a more rudimentary check exists to at least prevent cookies from being set on TLDs. This check was broken if the hostname in the URL uses a trailing dot.
This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.