A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set "super cookies" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
{
"www": "https://curl.se/docs/CVE-2026-8924.html",
"URL": "https://curl.se/docs/CVE-2026-8924.json",
"last_affected": "8.20.0",
"package": "curl",
"CWE": {
"desc": "Information Exposure Through Sent Data",
"id": "CWE-201"
},
"affects": "both",
"issue": "https://hackerone.com/reports/3733905",
"severity": "Low"
}[
{
"signature_type": "Function",
"target": {
"function": "is_public_suffix",
"file": "lib/cookie.c"
},
"source": "https://github.com/curl/curl.git/commit/51beed175dbfc37da3113f6acce60c630c070ce8",
"deprecated": false,
"digest": {
"function_hash": "335131051994932031989893635630674715587",
"length": 1169.0
},
"signature_version": "v1",
"id": "CURL-CVE-2026-8924-2522c436"
},
{
"signature_type": "Line",
"target": {
"file": "lib/cookie.c"
},
"source": "https://github.com/curl/curl.git/commit/51beed175dbfc37da3113f6acce60c630c070ce8",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"169337999188256190714791795318413023466",
"83941563893831075434737957461444023007",
"290656883257034455718269047425596961497",
"128239869894127245898894739649854696868",
"284134061910249587225395334356655932742",
"274688375762767551377970585583374821277",
"151327342236776251830642709660831085730",
"199459904939080377542151089627839573826",
"109306483060873899948608905735302233218"
]
},
"signature_version": "v1",
"id": "CURL-CVE-2026-8924-ddd759ad"
}
]
"https://curl.se/docs/CURL-CVE-2026-8924.json"
"2026-07-07T18:35:05Z"