CVE-2026-8924
ADVISORY - debianSummary
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
- curl 8.21.0~rc2-1 [trixie] - curl (Minor issue) [bookworm] - curl (Minor issue; trailing-dot super cookie; PSL-enabled build mitigates) [bullseye] - curl (Minor issue; trailing-dot super cookie; PSL-enabled build mitigates) https://curl.se/docs/CVE-2026-8924.html Introduced with: https://github.com/curl/curl/commit/e77b5b7453c1e8ccd7ec0816890d98e2f392e465 (curl-7_46_0) Fixed by: https://github.com/curl/curl/commit/51beed175dbfc37da3113f6acce60c630c070ce8 (rc-8_21_0-1, curl-8_21_0)
EPSS Score: 0.00649 (0.469)
Common Weakness Enumeration (CWE)
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in