CVE-2026-8924 PUBLISHED

trailing dot domain super cookie

Assigner: curl
Reserved: 19.05.2026 Published: 03.07.2026 Updated: 03.07.2026

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

Product Status

Vendor curl
Product curl
Versions Default: unaffected
  • affected from 8.20.0 to 8.20.0 (incl.)
  • affected from 8.19.0 to 8.19.0 (incl.)
  • affected from 8.18.0 to 8.18.0 (incl.)
  • affected from 8.17.0 to 8.17.0 (incl.)
  • affected from 8.16.0 to 8.16.0 (incl.)
  • affected from 8.15.0 to 8.15.0 (incl.)
  • affected from 8.14.1 to 8.14.1 (incl.)
  • affected from 8.14.0 to 8.14.0 (incl.)
  • affected from 8.13.0 to 8.13.0 (incl.)
  • affected from 8.12.1 to 8.12.1 (incl.)
  • affected from 8.12.0 to 8.12.0 (incl.)
  • affected from 8.11.1 to 8.11.1 (incl.)
  • affected from 8.11.0 to 8.11.0 (incl.)
  • affected from 8.10.1 to 8.10.1 (incl.)
  • affected from 8.10.0 to 8.10.0 (incl.)
  • affected from 8.9.1 to 8.9.1 (incl.)
  • affected from 8.9.0 to 8.9.0 (incl.)
  • affected from 8.8.0 to 8.8.0 (incl.)
  • affected from 8.7.1 to 8.7.1 (incl.)
  • affected from 8.7.0 to 8.7.0 (incl.)
  • affected from 8.6.0 to 8.6.0 (incl.)
  • affected from 8.5.0 to 8.5.0 (incl.)
  • affected from 8.4.0 to 8.4.0 (incl.)
  • affected from 8.3.0 to 8.3.0 (incl.)
  • affected from 8.2.1 to 8.2.1 (incl.)
  • affected from 8.2.0 to 8.2.0 (incl.)
  • affected from 8.1.2 to 8.1.2 (incl.)
  • affected from 8.1.1 to 8.1.1 (incl.)
  • affected from 8.1.0 to 8.1.0 (incl.)
  • affected from 8.0.1 to 8.0.1 (incl.)
  • affected from 8.0.0 to 8.0.0 (incl.)
  • affected from 7.88.1 to 7.88.1 (incl.)
  • affected from 7.88.0 to 7.88.0 (incl.)
  • affected from 7.87.0 to 7.87.0 (incl.)
  • affected from 7.86.0 to 7.86.0 (incl.)
  • affected from 7.85.0 to 7.85.0 (incl.)
  • affected from 7.84.0 to 7.84.0 (incl.)
  • affected from 7.83.1 to 7.83.1 (incl.)
  • affected from 7.83.0 to 7.83.0 (incl.)
  • affected from 7.82.0 to 7.82.0 (incl.)
  • affected from 7.81.0 to 7.81.0 (incl.)
  • affected from 7.80.0 to 7.80.0 (incl.)
  • affected from 7.79.1 to 7.79.1 (incl.)
  • affected from 7.79.0 to 7.79.0 (incl.)
  • affected from 7.78.0 to 7.78.0 (incl.)
  • affected from 7.77.0 to 7.77.0 (incl.)
  • affected from 7.76.1 to 7.76.1 (incl.)
  • affected from 7.76.0 to 7.76.0 (incl.)
  • affected from 7.75.0 to 7.75.0 (incl.)
  • affected from 7.74.0 to 7.74.0 (incl.)
  • affected from 7.73.0 to 7.73.0 (incl.)
  • affected from 7.72.0 to 7.72.0 (incl.)
  • affected from 7.71.1 to 7.71.1 (incl.)
  • affected from 7.71.0 to 7.71.0 (incl.)
  • affected from 7.70.0 to 7.70.0 (incl.)
  • affected from 7.69.1 to 7.69.1 (incl.)
  • affected from 7.69.0 to 7.69.0 (incl.)
  • affected from 7.68.0 to 7.68.0 (incl.)
  • affected from 7.67.0 to 7.67.0 (incl.)
  • affected from 7.66.0 to 7.66.0 (incl.)
  • affected from 7.65.3 to 7.65.3 (incl.)
  • affected from 7.65.2 to 7.65.2 (incl.)
  • affected from 7.65.1 to 7.65.1 (incl.)
  • affected from 7.65.0 to 7.65.0 (incl.)
  • affected from 7.64.1 to 7.64.1 (incl.)
  • affected from 7.64.0 to 7.64.0 (incl.)
  • affected from 7.63.0 to 7.63.0 (incl.)
  • affected from 7.62.0 to 7.62.0 (incl.)
  • affected from 7.61.1 to 7.61.1 (incl.)
  • affected from 7.61.0 to 7.61.0 (incl.)
  • affected from 7.60.0 to 7.60.0 (incl.)
  • affected from 7.59.0 to 7.59.0 (incl.)
  • affected from 7.58.0 to 7.58.0 (incl.)
  • affected from 7.57.0 to 7.57.0 (incl.)
  • affected from 7.56.1 to 7.56.1 (incl.)
  • affected from 7.56.0 to 7.56.0 (incl.)
  • affected from 7.55.1 to 7.55.1 (incl.)
  • affected from 7.55.0 to 7.55.0 (incl.)
  • affected from 7.54.1 to 7.54.1 (incl.)
  • affected from 7.54.0 to 7.54.0 (incl.)
  • affected from 7.53.1 to 7.53.1 (incl.)
  • affected from 7.53.0 to 7.53.0 (incl.)
  • affected from 7.52.1 to 7.52.1 (incl.)
  • affected from 7.52.0 to 7.52.0 (incl.)
  • affected from 7.51.0 to 7.51.0 (incl.)
  • affected from 7.50.3 to 7.50.3 (incl.)
  • affected from 7.50.2 to 7.50.2 (incl.)
  • affected from 7.50.1 to 7.50.1 (incl.)
  • affected from 7.50.0 to 7.50.0 (incl.)
  • affected from 7.49.1 to 7.49.1 (incl.)
  • affected from 7.49.0 to 7.49.0 (incl.)
  • affected from 7.48.0 to 7.48.0 (incl.)
  • affected from 7.47.1 to 7.47.1 (incl.)
  • affected from 7.47.0 to 7.47.0 (incl.)
  • affected from 7.46.0 to 7.46.0 (incl.)

Credits

  • vegagent on hackerone finder
  • Daniel Stenberg remediation developer

References

Problem Types

  • CWE-201 Information Exposure Through Sent Data